BIT-jupyterlab-2021-32797

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/jupyterlab/BIT-jupyterlab-2021-32797.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-jupyterlab-2021-32797
Aliases
Published
2024-03-06T10:54:25.501Z
Modified
2024-11-27T19:40:48.342Z
Summary
[none]
Details

JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html <form>. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook.

Database specific
{
    "cpes": [
        "cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / jupyterlab

Package

Name
jupyterlab
Purl
pkg:bitnami/jupyterlab

Severity

  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.21
Introduced
2.0.0
Fixed
2.2.10
Introduced
2.3.0
Fixed
2.3.2
Introduced
3.0.0
Fixed
3.0.17
Introduced
3.1.0
Fixed
3.1.4