[manjaro-security] [ASA-201812-1] jupyter-notebook: cross-site scripting

Santiago Torres-Arias santiago at archlinux.org
Thu Dec 6 22:34:06 CET 2018


Arch Linux Security Advisory ASA-201812-1
=========================================

Severity: Medium
Date    : 2018-12-06
CVE-ID  : CVE-2018-19351 CVE-2018-19352
Package : jupyter-notebook
Type    : cross-site scripting
Remote  : No
Link    : https://security.archlinux.org/AVG-820

Summary
=======

The package jupyter-notebook before version 5.7.2-1 is vulnerable to
cross-site scripting.

Resolution
==========

Upgrade to 5.7.2-1.

# pacman -Syu "jupyter-notebook>=5.7.2-1"

The problems have been fixed upstream in version 5.7.2.

Workaround
==========

None.

Description
===========

- CVE-2018-19351 (cross-site scripting)

A security issue has been found in Jupyter Notebook versions prior to
5.7.1, where untrusted javascript could be executed if malicious files
could be delivered to the users system and the user takes specific
actions with those malicious files. It allowed nbconvert endpoints
(such as Print Preview) to render untrusted HTML and javascript with
access to the notebook server.

- CVE-2018-19352 (cross-site scripting)

A security issue has been found in Jupyter Notebook versions prior to
5.7.2, where untrusted javascript could be executed if malicious files
could be delivered to the users system and the user takes specific
actions with those malicious files. It allowed maliciously crafted
directory names to execute javascript when opened in the tree view.

Impact
======

A remote attacker is able to execute javascript and create html content
by tricking users into opening and interacting with maliciously crafted
notebook files.

References
==========

https://bugs.archlinux.org/task/60910
https://blog.jupyter.org/jupyter-notebook-security-fixes-59817e86a711
https://blog.jupyter.org/security-fix-for-jupyter-notebook-450f272b6932?gi=dbc3ae28c796
https://security.archlinux.org/CVE-2018-19351
https://security.archlinux.org/CVE-2018-19352
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20181206/2eb9199d/attachment.sig>


More information about the manjaro-security mailing list