oss-sec mailing list archives
Re: CVE request: maliciously crafted notebook files in Jupyter
From: Fernando Perez <Fernando.Perez () berkeley edu>
Date: Sun, 18 Mar 2018 21:36:45 -0700
A huge thanks to the Quantopian team, Thomas and everyone else who worked to bring this to a quick resolution. I was really impressed by the response and quick collaboration from all parties. Best, f On Sun, Mar 18, 2018 at 12:59 AM, Thomas Kluyver <takowl () gmail com> wrote:
Thanks Salvatore. Devdatta Akhawe filled in the form on my behalf, and we've now been assigned CVE-2018-8768. I'm going to merge the fix now and start the release process for 5.4.1. Thomas On 17 March 2018 at 14:05, Salvatore Bonaccorso <carnil () debian org> wrote:Hi, On Thu, Mar 15, 2018 at 01:55:59PM +0000, Thomas Kluyver wrote:Email address of requester: security () ipython org, thomas () kluyver me uk,benjaminrk () gmail com, jkamens () quantopian com, ssanderson () quantopian comSoftware name: Jupyter Notebook (formerly IPython Notebook) Type of vulnerability: Maliciously forged file Attack outcome: Possible remote execution Vulnerability: A maliciously forged notebook file can bypasssanitization to execute Javascript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.Affected versions: - notebook ≤ 5.4.0 URI with issues: - GET /notebook/** Patches: not yet finalised Mitigations: Upgrade to Jupyter notebook 5.4.1 or 5.5 once available. If using pip, pip install --upgrade notebook For conda: conda update conda conda update notebook Vulnerability reported by vkgonka () mail ru , via Jonathan Kamens atQuantopian Thanks for the headsup. This reply is mainly for this other purpose: It looks you wanted to have a CVE assigned trough this reply to the list. CVE's cannot anymore be requested via the oss-security list. If you want to request one please have a look at https://cveform.mitre.org/ Once you have the CVE assigned, can you please loop back the assignement in this thread? Regards, Salvatore
Current thread:
- CVE request: maliciously crafted notebook files in Jupyter Thomas Kluyver (Mar 15)
- Re: CVE request: maliciously crafted notebook files in Jupyter Salvatore Bonaccorso (Mar 17)
- Re: CVE request: maliciously crafted notebook files in Jupyter Thomas Kluyver (Mar 18)
- Re: CVE request: maliciously crafted notebook files in Jupyter Fernando Perez (Mar 19)
- Re: CVE request: maliciously crafted notebook files in Jupyter Thomas Kluyver (Mar 18)
- Re: CVE request: maliciously crafted notebook files in Jupyter Ricter Zheng (Mar 19)
- Re: CVE request: maliciously crafted notebook files in Jupyter Gordo Lowrey (Mar 20)
- Re: CVE request: maliciously crafted notebook files in Jupyter Salvatore Bonaccorso (Mar 17)