[Python-modules-team] Bug#917409: jupyter-notebook: CVE-2018-19351

Salvatore Bonaccorso carnil at debian.org
Thu Dec 27 13:37:09 GMT 2018


Hi,

Sorry I misstyped the CVE for the report:

Here the correct information:

CVE-2018-19351[0]:
| Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook
| because nbconvert responses are considered to have the same origin as
| the notebook server. In other words, nbconvert endpoints can execute
| JavaScript with access to the server API. In
| notebook/nbconvert/handlers.py, NbconvertFileHandler and
| NbconvertPostHandler do not set a Content Security Policy to prevent
| this.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19351
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19351
[1] https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491

Regards,
Salvatore



More information about the Python-modules-team mailing list