===================================================================== CERT-Renater Note d'Information No. 2024/VULN047 _____________________________________________________________________ DATE : 22/01/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running jupyterlab (pip) versions prior to 4.0.11, 3.6.7, notebook (pip) versions prior to 7.0.7. ===================================================================== https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947 https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4 _____________________________________________________________________ Potential authentication and CSRF tokens leak in JupyterLab High krassowski published GHSA-44cc-43rp-5947 Jan 19, 2024 Package jupyterlab (pip) Affected versions >=4.0.0,<=4.0.10 <=3.6.6 Patched versions 4.0.11 3.6.7 notebook (pip) Affected versions >=7.0.0, <=7.0.6 Affected versions 7.0.7 Description Impact Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. Patches JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched. Workarounds No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix. References Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform. Severity High 7.6/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality High Integrity Low Availability Low CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVE ID CVE-2024-22421 Weaknesses CWE-23 Credits @davwwwx davwwwx Reporter _____________________________________________________________________ SXSS in Markdown Preview Moderate krassowski published GHSA-4m77-cmpx-vjc4 Jan 19, 2024 Package jupyterlab (pip) Affected versions >=4.0.0, <=4.0.10 Patched versions 4.0.11 notebook (pip) >=7.0.0, <=7.0.6 7.0.7 Description Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. Patches JupyterLab v4.0.11 was patched. Workarounds Users can disable the table of contents plugin by running: jupyter labextension disable @jupyterlab/toc-extension:registry To confirm that this plugin was disabled run: jupyter labextension list References Vulnerability reported via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform. Severity Moderate 6.5/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE ID CVE-2024-22420 Weaknesses CWE-79 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================