GHSA-4m77-cmpx-vjc4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4m77-cmpx-vjc4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-4m77-cmpx-vjc4/GHSA-4m77-cmpx-vjc4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-4m77-cmpx-vjc4
- Aliases
- Published
- 2024-01-19T20:24:09Z
- Modified
- 2024-02-20T05:33:14.840915Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- JupyterLab vulnerable to SXSS in Markdown Preview
- Details
-
Impact
The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.
A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.
Patches
JupyterLab v4.0.11 was patched.
Workarounds
Users can either disable the table of contents extension by running:
jupyter labextension disable @jupyterlab/toc-extension:registryReferences
Vulnerability reported via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
- Database specific
{ "nvd_published_at": "2024-01-19T21:15:09Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-01-19T20:24:09Z" }- References
-
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4
- https://nvd.nist.gov/vuln/detail/CVE-2024-22420
- https://github.com/jupyterlab/jupyterlab/commit/dda0033cd49449572d077bbecd33b18d8d05f48a
- https://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df
- https://github.com/jupyterlab/jupyterlab
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H
Affected packages
PyPI / jupyterlab
Package
- Name
- jupyterlab
- View open source insights on deps.dev
- Purl
- pkg:pypi/jupyterlab
PyPI / notebook
Package
- Name
- notebook
- View open source insights on deps.dev
- Purl
- pkg:pypi/notebook