Описание
JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html <form>. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook.
Ссылки
- ExploitThird Party Advisory
- Third Party Advisory
- ExploitThird Party Advisory
- Third Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 1.2.21 (исключая)Версия от 2.0.0 (включая) до 2.2.10 (исключая)Версия от 2.3.0 (включая) до 2.3.2 (исключая)Версия от 3.0.0 (включая) до 3.0.17 (исключая)Версия от 3.1.0 (включая) до 3.1.4 (исключая)
Одно из
cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*
cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*
cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*
cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*
cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*
EPSS
Процентиль: 78%
0.01136
Низкий
7.4 High
CVSS3
9.6 Critical
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-79
CWE-79
Связанные уязвимости
CVSS3: 7.4
debian
больше 4 лет назад
JupyterLab is a user interface for Project Jupyter which will eventual ...
CVSS3: 7.4
github
больше 4 лет назад
JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>
EPSS
Процентиль: 78%
0.01136
Низкий
7.4 High
CVSS3
9.6 Critical
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-79
CWE-79