![]() |
|
Date: Sat, 17 Mar 2018 15:05:46 +0100 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Cc: security <security@...thon.org>, MinRK <benjaminrk@...il.com>, jkamens@...ntopian.com, ssanderson@...ntopian.com Subject: Re: CVE request: maliciously crafted notebook files in Jupyter Hi, On Thu, Mar 15, 2018 at 01:55:59PM +0000, Thomas Kluyver wrote: > Email address of requester: security@...thon.org, thomas@...yver.me.uk, benjaminrk@...il.com, jkamens@...ntopian.com, ssanderson@...ntopian.com > > Software name: Jupyter Notebook (formerly IPython Notebook) > Type of vulnerability: Maliciously forged file > Attack outcome: Possible remote execution > > Vulnerability: A maliciously forged notebook file can bypass sanitization to execute Javascript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous. > > Affected versions: > > - notebook ≤ 5.4.0 > > URI with issues: > > - GET /notebook/** > > Patches: not yet finalised > > Mitigations: > > Upgrade to Jupyter notebook 5.4.1 or 5.5 once available. > If using pip, > > pip install --upgrade notebook > > For conda: > > conda update conda > conda update notebook > > Vulnerability reported by vkgonka@...l.ru , via Jonathan Kamens at Quantopian Thanks for the headsup. This reply is mainly for this other purpose: It looks you wanted to have a CVE assigned trough this reply to the list. CVE's cannot anymore be requested via the oss-security list. If you want to request one please have a look at https://cveform.mitre.org/ Once you have the CVE assigned, can you please loop back the assignement in this thread? Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.