Re: CVE request: maliciously crafted notebook files in Jupyter

[Ricter Zheng <ricterzheng () gmail com>]

Hi Thomas Klutver,

I am a student from china major in information security, I'm very interest
about the vulnerability. I tried to reproduction the vulnerability but
failed, so can you provide some technology detail about it?

Thank you.
--
Ricter Zheng

Thomas Kluyver <thomas () kluyver me uk>于2018年3月15日周四 下午10:27写道：

> Email address of requester: security () ipython org, thomas () kluyver me uk,
> benjaminrk () gmail com, jkamens () quantopian com, ssanderson () quantopian com
>
> Software name: Jupyter Notebook (formerly IPython Notebook)
> Type of vulnerability: Maliciously forged file
> Attack outcome: Possible remote execution
>
> Vulnerability: A maliciously forged notebook file can bypass sanitization
> to execute Javascript in the notebook context. Specifically, invalid HTML
> is 'fixed' by jQuery after sanitization, making it dangerous.
>
> Affected versions:
>
> - notebook ≤ 5.4.0
>
> URI with issues:
>
> - GET /notebook/**
>
> Patches:  not yet finalised
>
> Mitigations:
>
> Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
> If using pip,
>
>     pip install --upgrade notebook
>
> For conda:
>
>     conda update conda
>     conda update notebook
>
> Vulnerability reported by vkgonka () mail ru , via Jonathan Kamens at
> Quantopian
>
> --
Ricter Z