oss-sec mailing list archives
Re: CVE request: maliciously crafted notebook files in Jupyter
From: Gordo Lowrey <gordo () zeneval com>
Date: Mon, 19 Mar 2018 19:16:17 -0400
Obviously, running a python notebook from an untrusted party is a bad idea, since notebooks are litearlly code executors...
Sure, there is something to be said about *javascript* execution... but there are a plethora of addons for Python notebooks that generate Javascript on-demand. Especially for visualizations, etc...
Why is this a "vulnerability" necessarily? Just curious...On Mon, Mar 19, 2018 at 7:53 AM, Ricter Zheng <ricterzheng () gmail com> wrote:
Hi Thomas Klutver,I am a student from china major in information security, I'm very interestabout the vulnerability. I tried to reproduction the vulnerability but failed, so can you provide some technology detail about it? Thank you. -- Ricter ZhengThomas Kluyver <thomas () kluyver me uk>于2018年3月15日周四 下午10:27写道:Email address of requester: security () ipython org, thomas () kluyver me uk, benjaminrk () gmail com, jkamens () quantopian com, ssanderson () quantopian comSoftware name: Jupyter Notebook (formerly IPython Notebook) Type of vulnerability: Maliciously forged file Attack outcome: Possible remote executionVulnerability: A maliciously forged notebook file can bypass sanitization to execute Javascript in the notebook context. Specifically, invalid HTMLis 'fixed' by jQuery after sanitization, making it dangerous. Affected versions: - notebook ≤ 5.4.0 URI with issues: - GET /notebook/** Patches: not yet finalised Mitigations: Upgrade to Jupyter notebook 5.4.1 or 5.5 once available. If using pip, pip install --upgrade notebook For conda: conda update conda conda update notebook Vulnerability reported by vkgonka () mail ru , via Jonathan Kamens at Quantopian --Ricter Z
Current thread:
- CVE request: maliciously crafted notebook files in Jupyter Thomas Kluyver (Mar 15)
- Re: CVE request: maliciously crafted notebook files in Jupyter Salvatore Bonaccorso (Mar 17)
- Re: CVE request: maliciously crafted notebook files in Jupyter Thomas Kluyver (Mar 18)
- Re: CVE request: maliciously crafted notebook files in Jupyter Fernando Perez (Mar 19)
- Re: CVE request: maliciously crafted notebook files in Jupyter Thomas Kluyver (Mar 18)
- Re: CVE request: maliciously crafted notebook files in Jupyter Ricter Zheng (Mar 19)
- Re: CVE request: maliciously crafted notebook files in Jupyter Gordo Lowrey (Mar 20)
- Re: CVE request: maliciously crafted notebook files in Jupyter Salvatore Bonaccorso (Mar 17)