GHSA-4m77-cmpx-vjc4

Опубликовано: 19 янв. 2024

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

JupyterLab vulnerable to SXSS in Markdown Preview

Impact

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

Patches

JupyterLab v4.0.11 was patched.

Workarounds

Users can either disable the table of contents extension by running:

jupyter labextension disable @jupyterlab/toc-extension:registry

References

Vulnerability reported via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

Ссылки

Пакеты

Наименование

jupyterlab

pip

Затронутые версииВерсия исправления

>= 4.0.0, <= 4.0.10

4.0.11

Наименование

notebook

pip

Затронутые версииВерсия исправления

>= 7.0.0, <= 7.0.6

7.0.7

EPSS

Процентиль: 63%

0.00448

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2024-22420

Дефекты

CWE-79

Связанные уязвимости

CVE-2024-22420

CVSS3: 6.5

ubuntu

около 2 лет назад

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab version 4.0.11 has been patched. Users are advised to upgrade. Users unable to upgrade should disable the table of contents extension.

CVE-2024-22420

CVSS3: 6.5

nvd

около 2 лет назад

CVE-2024-22420

CVSS3: 6.5

debian

около 2 лет назад

JupyterLab is an extensible environment for interactive and reproducib ...

EPSS

Процентиль: 63%

0.00448

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2024-22420

Дефекты

CWE-79