[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: maliciously crafted notebook files in Jupyter
From: Gordo Lowrey <gordo () zeneval ! com>
Date: 2018-03-19 23:16:17
Message-ID: 1521501377.17063.0 () smtp ! gmail ! com
[Download RAW message or body]
Obviously, running a python notebook from an untrusted party is a bad
idea, since notebooks are litearlly code executors...
Sure, there is something to be said about *javascript* execution... but
there are a plethora of addons for Python notebooks that generate
Javascript on-demand. Especially for visualizations, etc...
Why is this a "vulnerability" necessarily?
Just curious...
On Mon, Mar 19, 2018 at 7:53 AM, Ricter Zheng <ricterzheng@gmail.com>
wrote:
> Hi Thomas Klutver,
>
> I am a student from china major in information security, I'm very
> interest
> about the vulnerability. I tried to reproduction the vulnerability but
> failed, so can you provide some technology detail about it?
>
> Thank you.
> --
> Ricter Zheng
>
> Thomas Kluyver <thomas@kluyver.me.uk>于2018年3月15日周四
> 下午10:27写道:
>
>> Email address of requester: security@ipython.org,
>> thomas@kluyver.me.uk,
>> benjaminrk@gmail.com, jkamens@quantopian.com,
>> ssanderson@quantopian.com
>>
>> Software name: Jupyter Notebook (formerly IPython Notebook)
>> Type of vulnerability: Maliciously forged file
>> Attack outcome: Possible remote execution
>>
>> Vulnerability: A maliciously forged notebook file can bypass
>> sanitization
>> to execute Javascript in the notebook context. Specifically,
>> invalid HTML
>> is 'fixed' by jQuery after sanitization, making it dangerous.
>>
>> Affected versions:
>>
>> - notebook ≤ 5.4.0
>>
>> URI with issues:
>>
>> - GET /notebook/**
>>
>> Patches: not yet finalised
>>
>> Mitigations:
>>
>> Upgrade to Jupyter notebook 5.4.1 or 5.5 once available.
>> If using pip,
>>
>> pip install --upgrade notebook
>>
>> For conda:
>>
>> conda update conda
>> conda update notebook
>>
>> Vulnerability reported by vkgonka@mail.ru , via Jonathan Kamens at
>> Quantopian
>>
>> --
> Ricter Z
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic