Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-2432-1:BE758
HistoryNov 19, 2020 - 4:54 a.m.

[SECURITY] [DLA 2432-1] jupyter-notebook security update

2020-11-1904:54:03
lists.debian.org
50

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

39.9%

JSON

Debian LTS Advisory DLA-2432-1 [email protected]
https://www.debian.org/lts/security/ Abhijith PA
November 19, 2020 https://wiki.debian.org/LTS

Package : jupyter-notebook
Version : 4.2.3-4+deb9u1
CVE ID : CVE-2018-8768 CVE-2018-19351 CVE-2018-21030
Debian Bug : 893436 917409

Several vulnerabilities have been discovered in jupyter-notebook.

CVE-2018-8768

A maliciously forged notebook file can bypass sanitization to execute
Javascript in the notebook context. Specifically, invalid HTML is
'fixed' by jQuery after sanitization, making it dangerous.

CVE-2018-19351

allows XSS via an untrusted notebook because nbconvert responses are
considered to have the same origin as the notebook server.

CVE-2018-21030

jupyter-notebook does not use a CSP header to treat served files as
belonging to a separate origin. Thus, for example, an XSS payload can
be placed in an SVG document.

For Debian 9 stretch, these problems have been fixed in version
4.2.3-4+deb9u1.

We recommend that you upgrade your jupyter-notebook packages.

For the detailed security status of jupyter-notebook please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jupyter-notebook

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9alljupyter-notebook< 4.2.3-4+deb9u1jupyter-notebook_4.2.3-4+deb9u1_all.deb

Related

osv 12
openvas 10
nessus 9
cve 3
cvelist 3
veracode 2
github 3
prion 3
ubuntucve 3
debiancve 3
fedora 6
mageia 2
ubuntu 2
freebsd 1
archlinux 1
osv
osv
jupyter-notebook - security update
2020-11-04 00:00:00
Jupyter Notebook XSS via untrusted notebooks
2018-11-21 22:15:47
CVE-2018-19351
2018-11-18 17:29:00
openvas
openvas
Debian: Security Advisory (DLA-2432-1)
2020-11-20 00:00:00
Fedora Update for python-notebook FEDORA-2018-b621d86462
2018-03-30 00:00:00
Ubuntu: Security Advisory (USN-4855-1)
2023-01-27 00:00:00
nessus
nessus
Debian DLA-2432-1 : jupyter-notebook security update
2020-11-19 00:00:00
Fedora 26 : python-notebook (2018-ddb95c8324)
2018-03-30 00:00:00
Fedora 28 : python-notebook (2018-1fdcb294e3)
2019-01-03 00:00:00
cve
cve
CVE-2018-21030
2019-10-31 15:15:00
CVE-2018-19351
2018-11-18 17:29:00
CVE-2018-8768
2018-03-18 06:29:00
cvelist
cvelist
CVE-2018-19351
2018-11-18 17:00:00
CVE-2018-21030
2019-10-31 14:52:45
CVE-2018-8768
2018-03-18 06:00:00
veracode
veracode
Cross-site Scripting (XSS)
2018-11-19 03:10:44
Remote Code Execution (RCE)
2018-03-16 04:33:36
github
github
Jupyter Notebook XSS via untrusted notebooks
2018-11-21 22:15:47
Cross-site scripting in Jupyter Notebook
2019-11-08 17:07:42
Jupyter Notebook file bypasses sanitization, executes JavaScript
2018-07-12 12:00:00
prion
prion
Cross site scripting
2018-11-18 17:29:00
Cross site scripting
2019-10-31 15:15:00
Design/Logic Flaw
2018-03-18 06:29:00
ubuntucve
ubuntucve
CVE-2018-21030
2019-10-31 00:00:00
CVE-2018-19351
2018-11-18 00:00:00
CVE-2018-8768
2018-03-18 00:00:00
debiancve
debiancve
CVE-2018-19351
2018-11-18 17:29:00
CVE-2018-21030
2019-10-31 15:15:00
CVE-2018-8768
2018-03-18 06:29:00
fedora
fedora
[SECURITY] Fedora 27 Update: python-notebook-5.2.1-2.fc27
2018-03-29 16:21:48
[SECURITY] Fedora 26 Update: python-notebook-5.0.0-2.fc26
2018-03-29 15:54:07
[SECURITY] Fedora 28 Update: python-notebook-5.4.0-2.fc28
2018-03-30 13:38:11
mageia
mageia
Updated jupyter-notebook packages fix security vulnerability
2018-03-26 23:21:11
Updated jupyter-notebook packages fix security vulnerability
2022-09-10 23:26:43
ubuntu
ubuntu
IPython vulnerability
2021-03-15 00:00:00
Jupyter Notebook vulnerabilities
2022-08-30 00:00:00
freebsd
freebsd
Jupyter Notebook -- vulnerability
2018-03-18 00:00:00
archlinux
archlinux
[ASA-201812-1] jupyter-notebook: cross-site scripting
2018-12-06 00:00:00

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

39.9%

JSON
Related for DEBIAN:DLA-2432-1:BE758
osv12openvas10nessus9cve3cvelist3veracode2github3prion3ubuntucve3debiancve3fedora6mageia2ubuntu2freebsd1archlinux1