Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 17 Mar 2018 15:05:46 +0100
From: Salvatore Bonaccorso <>
Cc: security <>, MinRK <>,,
Subject: Re: CVE request: maliciously crafted notebook files
 in Jupyter


On Thu, Mar 15, 2018 at 01:55:59PM +0000, Thomas Kluyver wrote:
> Email address of requester:,,,,
> Software name: Jupyter Notebook (formerly IPython Notebook)
> Type of vulnerability: Maliciously forged file
> Attack outcome: Possible remote execution
> Vulnerability: A maliciously forged notebook file can bypass sanitization to execute Javascript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.
> Affected versions:
> - notebook ≤ 5.4.0
> URI with issues:
> - GET /notebook/**
> Patches:  not yet finalised
> Mitigations:
> Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
> If using pip,
>     pip install --upgrade notebook
> For conda:
>     conda update conda
>     conda update notebook
> Vulnerability reported by , via Jonathan Kamens at Quantopian

Thanks for the headsup.

This reply is mainly for this other purpose: It looks you wanted to
have a CVE assigned trough this reply to the list. CVE's cannot
anymore be requested via the oss-security list. If you want to request
one please have a look at

Once you have the CVE assigned, can you please loop back the
assignement in this thread?


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ