Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 22 Jun 2015 17:25:21 -0400 (EDT)
From: cve-assign@...re.org
To: rgbkrk@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@...thon.org
Subject: Re: CVE request: IPython XSS in JSON error responses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce
> https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c

> JSON error responses from the IPython notebook REST API contained
> URL parameters and were incorrectly reported as text/html instead of
> application/json. The error messages included some of these URL params,
> resulting in a cross site scripting attack.

(We wanted to have two CVE IDs because of the following difference in
how 2.x and 3.x are affected. We realize that this is perhaps a
marginal case for that, because the 3.x code is essentially just:

  self.log.warn("/api/notebooks is deprecated, use /api/contents")
  self.redirect(url_path_join(
      self.base_url,
      'api/contents',

)

> /api/contents (3.0-3.1)

Use CVE-2015-4706 for the /api/contents path.


> /api/notebooks (2.0-2.4, 3.0-3.1)

Use CVE-2015-4707 for the /api/notebooks path.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJViHxpAAoJEKllVAevmvmsKHMH/1/6j3dATboZR89XjRTsMhob
mQa5sqbEjCAHUxvfZlCPqDc/JQ+P+76cvOqjkyS/xDlvl9hLj2EBF46apVOLexcw
UdiR3FmVsBNUq/QPupSobZGPrMywaypla34MfIbSod/rDZN/A8sGDvt7J6sGOoAU
on4ZddKjCg85YUQr47AgVmU1FLnGpkPyA22KazhJnSyfdNv5/OptG4QwMnH5o774
SospTf0okgh180Fj54BnNwiPARA71syjOyYBoveQDKbbdkKTtaWB9cWVeAvePkrd
mc1Yvvxwzws/wednn2qFLTWPPCvUvUEswHSuB5p9JDpizdQDO8t8xeBWmZkWXu0=
=sYFZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ