Описание
jupyterlab-git is a JupyterLab extension for version control using Git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $(). These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks "Git > Open Git Repository in Terminal" from the menu bar, then the injected command is run in the user's shell without the user's permission. This issue is occurring because when that menu entry is clicked, jupyterlab-git opens the terminal and runs cd through the shell to set the current directory. Doing so runs any command substitution strings present in the directory name, which leads to the command injection issue described here. A previous patch provided an incomplete fix. This vulnerability is fixed in 0.51.1.
A flaw was found in jupyterlab-git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $(). These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks "Git > Open Git Repository in Terminal" from the menu bar, then the injected command is run in the user's shell without the user's permission.
This issue allows for arbitrary code execution via command injection. A wide range of actions are permitted by this issue, including but not limited to: modifying files, exfiltrating data, halting services, or compromising the server's security rules.
Отчет
Red Hat Product Security has determined that this vulnerability does not affect any currently supported Red Hat product.
Меры по смягчению последствий
It is recommended that users upgrade to the patched versions. However, if a user is unable to upgrade, there are 3 different ways to mitigate this vulnerability without upgrading to a patch.
- Disable terminals on jupyter-server level: c.ServerApp.terminals_enabled = False
- Disable the terminals server extension: jupyter server extension disable jupyter_server_terminals
- Disable the lab extension: jupyter labextension disable @jupyterlab/terminal-extension
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-kf-notebook-controller-rhel8 | Not affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-notebook-controller-rhel8 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
jupyterlab-git is a JupyterLab extension for version control using Git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $(<command>). These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks "Git > Open Git Repository in Terminal" from the menu bar, then the injected command <command> is run in the user's shell without the user's permission. This issue is occurring because when that menu entry is clicked, jupyterlab-git opens the terminal and runs cd <git-repo-path> through the shell to set the current directory. Doing so runs any command substitution strings present in the directory name, which leads to the command injection issue described here. A previous patch provided an incomplete fix. This vulnerability is fixed in 0.51.1.
jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal"
Уязвимость элемента управления «Open Git Repository in Terminal» («Открыть репозиторий Git в терминале») расширения jupyterlab-git веб-ориентированной интерактивной среды разработки JupyterLab, позволяющая нарушителю получить доступ на чтение и изменение данных и выполнить произвольные команды
EPSS
7.4 High
CVSS3