GHSA-9q39-rmj3-p4r2

Source

https://github.com/advisories/GHSA-9q39-rmj3-p4r2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-9q39-rmj3-p4r2/GHSA-9q39-rmj3-p4r2.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9q39-rmj3-p4r2

Aliases

Published

2024-08-29T17:55:53Z

Modified

2024-08-30T07:57:14.798953Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering

Details

Impact

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

Patches

JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 were patched.

Workarounds

There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are: - @jupyterlab/mathjax-extension:plugin - users will loose ability to preview mathematical equations - @jupyterlab/markdownviewer-extension:plugin - users will loose ability to open Markdown previews - @jupyterlab/mathjax2-extension:plugin (if installed with optional jupyterlab-mathjax2 package) - an older version of the mathjax plugin for JupyterLab 4.x

To disable these extensions run:

jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin
jupyter labextension disable @jupyterlab/mathjax-extension:plugin
jupyter labextension disable @jupyterlab/mathjax2-extension:plugin

To confirm that the plugins were disabled run:

jupyter labextension list

References

None

Notes

This change has a potential to break rendering of some markdown. There is a setting in Sanitizer which allows to revert to the previous sanitizer settings (allowNamedProperties).

Database specific

{
    "nvd_published_at": "2024-08-28T20:15:07Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-29T17:55:53Z"
}

References

Affected packages

PyPI / jupyterlab

Package

Name: jupyterlab; View open source insights on deps.dev
Purl: pkg:pypi/jupyterlab

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.8

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.0.5

0.0.6

0.0.7

0.0.8

0.0.9

0.0.10

0.0.13

0.1.1

0.1.2

0.2.0

0.3.0

0.4.0

0.4.1

0.5.0

0.6.0

0.7.0

0.8.0

0.9.0

0.9.1

0.10.0

0.11.0

0.11.1

0.11.2

0.11.3

0.12.0

0.12.1

0.13.0

0.13.1

0.13.2

0.14.0

0.15.0

0.15.1

0.16.0

0.16.2

0.17.0

0.17.1

0.17.2

0.17.4

0.17.5

0.18.0.dev1

0.18.0

0.18.1

0.19.0

0.20.0rc1

0.20.0

0.20.1

0.20.2

0.20.3

0.20.4

0.21.0rc1

0.21.0rc2

0.21.0rc3

0.21.0rc4

0.21.0rc5

0.21.0

0.22.0rc0

0.22.0

0.22.1

0.23.0rc0

0.23.0rc1

0.23.0

0.23.1

0.23.2

0.24.0rc0

0.24.0rc1

0.24.0rc2

0.24.0

0.24.1

0.25.0rc0

0.25.0rc1

0.25.0

0.25.1

0.25.2rc0

0.25.2

0.26.0rc0

0.26.0rc1

0.26.0

0.26.1

0.26.2

0.26.3

0.26.4

0.26.5

0.27.0rc0

0.27.0rc1

0.27.0rc2

0.27.0rc3

0.27.0rc4

0.27.0rc5

0.27.0

0.27.1

0.27.2

0.28.0rc0

0.28.0rc1

0.28.0rc2

0.28.0rc3

0.28.0

0.28.1

0.28.2

0.28.3

0.28.4

0.28.5

0.28.6

0.28.7

0.28.8

0.28.10

0.28.11

0.28.12

0.28.13

0.28.14

0.28.15

0.29.0rc0

0.29.0

0.29.1

0.29.2

0.30.0rc0

0.30.0rc1

0.30.0

0.30.1

0.30.2

0.30.3

0.30.4

0.30.5

0.30.6

0.31.0rc0

0.31.0rc1

0.31.0rc2

0.31.0

0.31.1

0.31.2

0.31.3

0.31.4

0.31.5

0.31.6

0.31.7

0.31.8

0.31.9

0.31.10

0.31.11

0.31.12

0.32.0rc0

0.32.0rc1

0.32.0

0.32.1

0.33.0rc0

0.33.0rc1

0.33.0

0.33.1

0.33.2

0.33.3

0.33.4

0.33.5

0.33.6

0.33.7

0.33.8

0.33.9

0.33.10

0.33.11

0.33.12

0.34.0rc0

0.34.0rc1

0.34.0rc2

0.34.0

0.34.1

0.34.2

0.34.3

0.34.4

0.34.5

0.34.6

0.34.7

0.34.8

0.34.9

0.34.10

0.34.11

0.34.12

0.35.0rc0

0.35.0rc1

0.35.0rc2

0.35.0

0.35.1

0.35.2

0.35.3

0.35.4

0.35.5

0.35.6

1.*

1.0.0a0

1.0.0a1

1.0.0a2

1.0.0a3

1.0.0a4

1.0.0a5

1.0.0a6

1.0.0a7

1.0.0a8

1.0.0a9

1.0.0a10

1.0.0rc0

1.0.0rc1

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.9

1.0.10

1.1.0a0

1.1.0a1

1.1.0a2

1.1.0rc0

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2.0a0

1.2.0a1

1.2.0a2

1.2.0a3

1.2.0rc0

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.20

1.2.21

2.*

2.0.0a0

2.0.0a1

2.0.0a3

2.0.0a4

2.0.0b1

2.0.0b2

2.0.0b3

2.0.0rc0

2.0.0rc1

2.0.0rc2

2.0.0

2.0.1rc0

2.0.1

2.0.2

2.1.0a0

2.1.0b0

2.1.0rc0

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.2.0a0

2.2.0a1

2.2.0rc1

2.2.0

2.2.1

2.2.2

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.3.0a0

2.3.0a1

2.3.0a2

2.3.0rc0

2.3.0

2.3.1

2.3.2

3.*

3.0.0a0

3.0.0a3

3.0.0a4

3.0.0a5

3.0.0a6

3.0.0a7

3.0.0a8

3.0.0a9

3.0.0a10

3.0.0a11

3.0.0a12

3.0.0a13

3.0.0a14

3.0.0b1

3.0.0b2

3.0.0b3

3.0.0b4

3.0.0b6

3.0.0b7

3.0.0b8

3.0.0rc0

3.0.0rc1

3.0.0rc2

3.0.0rc3

3.0.0rc4

3.0.0rc5

3.0.0rc6

3.0.0rc7

3.0.0rc8

3.0.0rc9

3.0.0rc10

3.0.0rc11

3.0.0rc12

3.0.0rc13

3.0.0rc14

3.0.0rc15

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.0.17

3.0.18

3.1.0a0

3.1.0a1

3.1.0a2

3.1.0a3

3.1.0a4

3.1.0a5

3.1.0a6

3.1.0a7

3.1.0a8

3.1.0a9

3.1.0a10

3.1.0a11

3.1.0a12

3.1.0a13

3.1.0b0

3.1.0b1

3.1.0rc1

3.1.0rc2

3.1.0

3.1.1

3.1.2

3.1.4

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.16

3.1.17

3.1.18

3.1.19

3.2.0a0

3.2.0a1

3.2.0b0

3.2.0rc0

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.3.0a1

3.3.0a2

3.3.0a3

3.3.0b0

3.3.0rc0

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.4.0a0

3.4.0b0

3.4.0rc0

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.5.0a0

3.5.0b0

3.5.0rc0

3.5.0

3.5.1

3.5.2

3.5.3

3.6.0a0

3.6.0a1

3.6.0a2

3.6.0a3

3.6.0a4

3.6.0a5

3.6.0b0

3.6.0rc0

3.6.0rc1

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

Database specific

{
    "last_known_affected_version_range": "<= 3.6.7"
}

PyPI / notebook

Package

Name: notebook; View open source insights on deps.dev
Purl: pkg:pypi/notebook

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.2.2

Affected versions

7.*

7.0.0

7.0.1

7.0.2

7.0.3

7.0.4

7.0.5

7.0.6

7.0.7

7.0.8

7.1.0a0

7.1.0a1

7.1.0a2

7.1.0b0

7.1.0rc0

7.1.0rc1

7.1.0

7.1.1

7.1.2

7.1.3

7.2.0a0

7.2.0b0

7.2.0b1

7.2.0rc0

7.2.0rc1

7.2.0

7.2.1

Database specific

{
    "last_known_affected_version_range": "<= 7.2.1"
}

PyPI / jupyterlab

Package

Name: jupyterlab; View open source insights on deps.dev
Purl: pkg:pypi/jupyterlab

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.2.5

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10

4.0.11

4.0.12

4.0.13

4.1.0a1

4.1.0a2

4.1.0a3

4.1.0a4

4.1.0b0

4.1.0b1

4.1.0b2

4.1.0rc0

4.1.0rc1

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.2.0a0

4.2.0a1

4.2.0a2

4.2.0b0

4.2.0b1

4.2.0b2

4.2.0b3

4.2.0rc0

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

Database specific

{
    "last_known_affected_version_range": "<= 4.2.4"
}