CVE-2018-19351

Опубликовано: 18 нояб. 2018

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.

Ссылки

https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst
Release Notes
https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
Patch
Third Party Advisory
https://groups.google.com/forum/#%21topic/jupyter/hWzu2BSsplY
https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html
https://pypi.org/project/notebook/#history
Third Party Advisory
https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst
Release Notes
https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
Patch
Third Party Advisory
https://groups.google.com/forum/#%21topic/jupyter/hWzu2BSsplY
https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html
https://pypi.org/project/notebook/#history
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jupyter:notebook:*:*:*:*:*:*:*:*

Версия до 5.7.1 (исключая)

EPSS

Процентиль: 53%

0.00307

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2018-19351

CVSS3: 6.1

ubuntu

около 7 лет назад

CVE-2018-19351

CVSS3: 6.1

debian

около 7 лет назад

Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook bec ...

GHSA-49qr-xh3w-h436

CVSS3: 6.1

github

около 7 лет назад

Jupyter Notebook XSS via untrusted notebooks

EPSS

Процентиль: 53%

0.00307

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79