CVE-2024-43805

HIGH7.6EPSS 0.43%

HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering

Published: 8/29/2024Modified: 8/30/2024
Also known as:GHSA-9q39-rmj3-p4r2BIT-jupyter-base-notebook-2024-43805BIT-jupyterlab-2024-43805BIT-jupyter-notebook-2024-43805

Description

### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. ### Patches JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 were patched. ### Workarounds There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are: - `@jupyterlab/mathjax-extension:plugin` - users will loose ability to preview mathematical equations - `@jupyterlab/markdownviewer-extension:plugin` - users will loose ability to open Markdown previews - `@jupyterlab/mathjax2-extension:plugin` (if installed with optional `jupyterlab-mathjax2` package) - an older version of the mathjax plugin for JupyterLab 4.x To disable these extensions run: ```bash jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin jupyter labextension disable @jupyterlab/mathjax-extension:plugin jupyter labextension disable @jupyterlab/mathjax2-extension:plugin ``` To confirm that the plugins were disabled run: ```bash jupyter labextension list ``` ### References None ### Notes This change has a potential to break rendering of some markdown. There is a setting in Sanitizer which allows to revert to the previous sanitizer settings (`allowNamedProperties`).

Affected packages (6)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
osvCVSS 3.1HIGH7.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

References (6)