Debian: DLA-2432-1 Moderate: Jupyter Notebook XSS Threats and Fixes
debian lts
November 19, 2020
Several vulnerabilities have been discovered in jupyter-notebook
Topics Covered
Summary
CVE-2018-8768
A maliciously forged notebook file can bypass sanitization to execute
Javascript in the notebook context. Specifically, invalid HTML is
'fixed' by jQuery after sanitization, making it dangerous.
CVE-2018-19351
allows XSS via an untrusted notebook because nbconvert responses are
considered to have the same origin as the notebook server.
CVE-2018-21030
jupyter-notebook does not use a CSP header to treat served files as
belonging to a separate origin. Thus, for example, an XSS payload can
be placed in an SVG document.
For Debian 9 stretch, these problems have been fixed in version
4.2.3-4+deb9u1.
We recommend that you upgrade your jupyter-notebook packages.
For the detailed security status of jupyter-notebook please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/jupyter-notebook
Further information about Debian LTS security advisories, how to apply
PREVIOUS
NEXT
Package: jupyter-notebook
Version: 4.2.3-4+deb9u1
CVE ID: CVE-2018-8768 CVE-2018-19351 CVE-2018-21030
Debian Bug: 893436 917409
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!