Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Mageia: 2022-0323 Moderate: Jupyter Notebook XSS and Open-Redirect Attacks

mageia
Calendar Grey September 10, 2022
Dist Mageia Esm H88
Mageia 2022-0323 addresses security flaws in Jupyter Notebook, focusing on XSS risks and access control enhancements.
It was discovered that Jupyter Notebook incorrectly handled certain notebooks

Summary

It was discovered that Jupyter Notebook incorrectly handled certain notebooks. An attacker could possibly use this issue of lack of Content Security Policy in Nbconvert to perform cross-site scripting (XSS) attacks on the notebook server. (CVE-2018-19351)
It was discovered that Jupyter Notebook incorrectly handled certain SVG documents. An attacker could possibly use this issue to perform cross-site scripting (XSS) attacks. (CVE-2018-21030)
It was discovered that Jupyter Notebook incorrectly filtered certain URLs on the login page. An attacker could possibly use this issue to perform open-redirect attack. (CVE-2019-10255)
It was discovered that Jupyter Notebook had an incomplete fix for CVE-2019-10255. An attacker could possibly use this issue to perform open-redirect attack using empty netloc. (CVE-2019-10856)
It was discovered that Jupyter Notebook incorrectly handled the inclusion of remote pages on Jupyter server. An attacker could possibly use this issue to perform cross-site s...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=30789

- https://bugs.mageia.org/show_bug.cgi?id=30664

-

- https://github.com/jupyter/notebook/security/advisories/GHSA-m87f-39q9-6f55

- https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/

- https://www.cve.org/CVERecord?id=CVE-2018-19351

- https://www.cve.org/CVERecord?id=CVE-2018-21030

- https://www.cve.org/CVERecord?id=CVE-2019-10255

- https://www.cve.org/CVERecord?id=CVE-2019-10856

- https://www.cve.org/CVERecord?id=CVE-2019-9644

- https://www.cve.org/CVERecord?id=CVE-2020-26215

- https://www.cve.org/CVERecord?id=CVE-2022-24758

- https://www.cve.org/CVERecord?id=CVE-2022-24785

- https://www.cve.org/CVERecord?id=CVE-2022-29238

- https://www.cve.org/CVERecord?id=CVE-2022-31129

Topics%20covered

Topics Covered

security advisory XSS DoS attack attack vector Mageia open-redirect notebook server

Resolution

SRPMS

- 8/core/jupyter-notebook-6.4.12-1.mga8

- 8/core/python-send2trash-1.8.0-1.mga8

- 8/core/python-nest-asyncio-1.5.5-1.mga8

Publication date: 10 Sep 2022
URL: https://advisories.mageia.org/MGASA-2022-0323.html
Type: security
CVE: CVE-2018-19351, CVE-2018-21030, CVE-2019-10255, CVE-2019-10856, CVE-2019-9644, CVE-2020-26215, CVE-2022-24758, CVE-2022-24785, CVE-2022-29238, CVE-2022-31129

Topics%20covered

Topics Covered

security advisory XSS DoS attack attack vector Mageia open-redirect notebook server

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here