Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jun 2015 08:16:03 -0500
From: Kyle Kelley <>
Subject: CVE request: IPython XSS in JSON error responses

Email addresses of requester:;;
Software name: IPython notebook
Type of vulnerability: XSS
Attack outcome: Remote execution
 * Current 3.x release
 * Minor backport to 2.x

Affected versions: 2.0 ≤ version ≤ 2.4.1, 3.0 ≤ version ≤ 3.1

Summary: JSON error responses from the IPython notebook REST API contained
URL parameters and were incorrectly reported as text/html instead of
application/json. The error messages included some of these URL params,
resulting in a cross site scripting attack. This affects users on Mozilla
Firefox but not Chromium/Google Chrome.

API paths with issues:

* /api/contents (3.0-3.1)
* /api/notebooks (2.0-2.4, 3.0-3.1)


Upgrade to IPython 3.2. If using pip,

  pip install --upgrade ipython[notebook]

For conda:

  conda update conda
  conda update ipython ipython-notebook

If you can't upgrade directly,

* Set the content security policy for the API headers of the notebook to
include `default-src 'none'` (
* Set the content type on API handlers to application/json

Vulnerability was found by Ahmad Khan, Security Engineer at IBM.

Kyle Kelley (@...krk <>;,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ