Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Mar 2018 13:55:59 +0000
From: Thomas Kluyver <>
Cc: security <>, MinRK <>,,
Subject: CVE request: maliciously crafted notebook files in Jupyter

Email address of requester:,,,,

Software name: Jupyter Notebook (formerly IPython Notebook)
Type of vulnerability: Maliciously forged file
Attack outcome: Possible remote execution

Vulnerability: A maliciously forged notebook file can bypass sanitization to execute Javascript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Affected versions:

- notebook ≤ 5.4.0

URI with issues:

- GET /notebook/**

Patches:  not yet finalised


Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
If using pip,

    pip install --upgrade notebook

For conda:

    conda update conda
    conda update notebook

Vulnerability reported by , via Jonathan Kamens at Quantopian

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ