[Debian-pan-maintainers] Bug#1082871: jupyterlab: CVE-2024-43805
Moritz Mühlenhoff
jmm at inutil.org
Fri Sep 27 14:26:40 BST 2024
Package: jupyterlab
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for jupyterlab.
CVE-2024-43805[0]:
| jupyterlab is an extensible environment for interactive and
| reproducible computing, based on the Jupyter Notebook Architecture.
| This vulnerability depends on user interaction by opening a
| malicious notebook with Markdown cells, or Markdown file using
| JupyterLab preview feature. A malicious user can access any data
| that the attacked user has access to as well as perform arbitrary
| requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and
| Jupyter Notebook v7.2.2 have been patched to resolve this issue.
| Users are advised to upgrade. There is no workaround for the
| underlying DOM Clobbering susceptibility. However, select plugins
| can be disabled on deployments which cannot update in a timely
| fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax-
| extension:plugin` - users will loose ability to preview mathematical
| equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users
| will loose ability to open Markdown previews. 3.
| `@jupyterlab/mathjax2-extension:plugin` (if installed with optional
| `jupyterlab-mathjax2` package) - an older version of the mathjax
| plugin for JupyterLab 4.x. To disable these extensions run:
| ```jupyter labextension disable @jupyterlab/markdownviewer-
| extension:plugin && jupyter labextension disable
| @jupyterlab/mathjax-extension:plugin && jupyter labextension disable
| @jupyterlab/mathjax2-extension:plugin ``` in bash.
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-43805
https://www.cve.org/CVERecord?id=CVE-2024-43805
Please adjust the affected versions in the BTS as needed.
More information about the Debian-pan-maintainers
mailing list