SB2018111803 - Cross-site scripting in Jupyter Notebook
Published: November 18, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2018-19351)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in notebook/nbconvert/handlers.py. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2018-19352)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via a specially crafted directory name in notebook/static/tree/js/notebooklist.js. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst
- https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
- https://groups.google.com/forum/#!topic/jupyter/hWzu2BSsplY
- https://pypi.org/project/notebook/#history
- https://github.com/jupyter/notebook/commit/288b73e1edbf527740e273fcc69b889460871648