[Python-modules-team] Bug#917409: jupyter-notebook: CVE-2018-19351
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 27 13:37:09 GMT 2018
Hi,
Sorry I misstyped the CVE for the report:
Here the correct information:
CVE-2018-19351[0]:
| Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook
| because nbconvert responses are considered to have the same origin as
| the notebook server. In other words, nbconvert endpoints can execute
| JavaScript with access to the server API. In
| notebook/nbconvert/handlers.py, NbconvertFileHandler and
| NbconvertPostHandler do not set a Content Security Policy to prevent
| this.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-19351
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19351
[1] https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
Regards,
Salvatore
More information about the Python-modules-team
mailing list