Re: CVE request: maliciously crafted notebook files in Jupyter

[Thomas Kluyver <takowl () gmail com>]

Thanks Salvatore. Devdatta Akhawe filled in the form on my behalf, and
we've now been assigned CVE-2018-8768.

I'm going to merge the fix now and start the release process for 5.4.1.

Thomas

On 17 March 2018 at 14:05, Salvatore Bonaccorso <carnil () debian org> wrote:

> Hi,
>
> On Thu, Mar 15, 2018 at 01:55:59PM +0000, Thomas Kluyver wrote:
> > Email address of requester: security () ipython org, thomas () kluyver me uk,
> benjaminrk () gmail com, jkamens () quantopian com, ssanderson () quantopian com
> > Software name: Jupyter Notebook (formerly IPython Notebook)
> > Type of vulnerability: Maliciously forged file
> > Attack outcome: Possible remote execution
> >
> > Vulnerability: A maliciously forged notebook file can bypass
> sanitization to execute Javascript in the notebook context. Specifically,
> invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.
> > Affected versions:
> >
> > - notebook ≤ 5.4.0
> >
> > URI with issues:
> >
> > - GET /notebook/**
> >
> > Patches:  not yet finalised
> >
> > Mitigations:
> >
> > Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
> > If using pip,
> >
> >     pip install --upgrade notebook
> >
> > For conda:
> >
> >     conda update conda
> >     conda update notebook
> >
> > Vulnerability reported by vkgonka () mail ru , via Jonathan Kamens at
> Quantopian
>
> Thanks for the headsup.
>
> This reply is mainly for this other purpose: It looks you wanted to
> have a CVE assigned trough this reply to the list. CVE's cannot
> anymore be requested via the oss-security list. If you want to request
> one please have a look at https://cveform.mitre.org/
>
> Once you have the CVE assigned, can you please loop back the
> assignement in this thread?
>
> Regards,
> Salvatore