ID FEDORA:7C0696077C1F Type fedora Reporter Fedora Modified 2019-04-12T01:16:26
Description
The Jupyter Notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text. The Notebook has support for multiple programming languages, sharing, and interactive widgets.
{"id": "FEDORA:7C0696077C1F", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 29 Update: python-notebook-5.7.8-1.fc29", "description": "The Jupyter Notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text. The Notebook has support for multiple programming languages, sharing, and interactive widgets. ", "published": "2019-04-12T01:16:26", "modified": "2019-04-12T01:16:26", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2018-19351", "CVE-2018-19352", "CVE-2019-10255", "CVE-2019-9644"], "lastseen": "2020-12-21T08:17:55", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-19351", "CVE-2018-19352", "CVE-2019-10255", "CVE-2019-9644"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876115", "OPENVAS:1361412562310875352", "OPENVAS:1361412562310875833"]}, {"type": "archlinux", "idList": ["ASA-201812-1"]}, {"type": "nessus", "idList": ["FEDORA_2019-9E67979B2A.NASL", "FEDORA_2018-B9581D9624.NASL", "DEBIAN_DLA-2432.NASL", "FREEBSD_PKG_FE7E322F522D11E998B5216E512DAD89.NASL", "FEDORA_2018-B792D607FD.NASL", "FEDORA_2019-A6E1287E76.NASL"]}, {"type": "fedora", "idList": ["FEDORA:6C884604AF9F", "FEDORA:DE8796030B2C", "FEDORA:2C55960A35C1"]}, {"type": "github", "idList": ["GHSA-49QR-XH3W-H436", "GHSA-RV62-4PMJ-XW6H", "GHSA-3P4Q-X8F3-P7VQ"]}, {"type": "freebsd", "idList": ["FE7E322F-522D-11E9-98B5-216E512DAD89"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2432-1:BE758"]}], "modified": "2020-12-21T08:17:55", "rev": 2}, "score": {"value": 5.5, "vector": "NONE", "modified": "2020-12-21T08:17:55", "rev": 2}, "vulnersScore": 5.5}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "29", "arch": "any", "packageName": "python-notebook", "packageVersion": "5.7.8", "packageFilename": "UNKNOWN", "operator": "lt"}]}
{"cve": [{"lastseen": "2021-02-02T06:52:34", "description": "Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-11-18T17:29:00", "title": "CVE-2018-19352", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-19352"], "modified": "2018-12-17T19:27:00", "cpe": [], "id": "CVE-2018-19352", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19352", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T06:52:34", "description": "Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.", "edition": 8, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-11-18T17:29:00", "title": "CVE-2018-19351", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-19351"], "modified": "2020-11-19T07:15:00", "cpe": [], "id": "CVE-2018-19351", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19351", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T07:12:45", "description": "An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-03-28T16:29:00", "title": "CVE-2019-10255", "type": "cve", "cwe": ["CWE-601"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-10255"], "modified": "2019-04-12T03:29:00", "cpe": [], "id": "CVE-2019-10255", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10255", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-02T07:13:07", "description": "An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.5}, "published": "2019-03-12T09:29:00", "title": "CVE-2019-9644", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9644"], "modified": "2019-04-12T03:29:00", "cpe": [], "id": "CVE-2019-9644", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9644", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "openvas": [{"lastseen": "2019-05-29T18:32:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9644", "CVE-2019-10255", "CVE-2018-19351", "CVE-2018-19352"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875833", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875833", "type": "openvas", "title": "Fedora Update for python-notebook FEDORA-2019-9e67979b2a", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875833\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-10255\", \"CVE-2019-9644\", \"CVE-2018-19351\", \"CVE-2018-19352\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:22:49 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for python-notebook FEDORA-2019-9e67979b2a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-9e67979b2a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-notebook'\n package(s) announced via the FEDORA-2019-9e67979b2a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Jupyter Notebook is a web application that allows you to create and\nshare documents that contain live code, equations, visualizations, and\nexplanatory text. The Notebook has support for multiple programming\nlanguages, sharing, and interactive widgets.\");\n\n script_tag(name:\"affected\", value:\"'python-notebook' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python-notebook\", rpm:\"python-notebook~5.7.8~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19351", "CVE-2018-19352"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-12-13T00:00:00", "id": "OPENVAS:1361412562310875352", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875352", "type": "openvas", "title": "Fedora Update for python-notebook FEDORA-2018-b9581d9624", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_b9581d9624_python-notebook_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for python-notebook FEDORA-2018-b9581d9624\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875352\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-19351\", \"CVE-2018-19352\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-13 08:02:51 +0100 (Thu, 13 Dec 2018)\");\n script_name(\"Fedora Update for python-notebook FEDORA-2018-b9581d9624\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b9581d9624\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CWGCKHWXWL6NLWNBVKZLIZKZVRARYHDM\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-notebook'\n package(s) announced via the FEDORA-2018-b9581d9624 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"python-notebook on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"python-notebook\", rpm:\"python-notebook~5.5.0~6.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19351", "CVE-2018-19352"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310876115", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876115", "type": "openvas", "title": "Fedora Update for python-notebook FEDORA-2018-b792d607fd", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876115\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2018-19351\", \"CVE-2018-19352\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:35:09 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for python-notebook FEDORA-2018-b792d607fd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b792d607fd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCO4Z5FIPLT5LI5U5ZWKP7EWURS2VF2V\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python-notebook'\n package(s) announced via the FEDORA-2018-b792d607fd advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Jupyter Notebook is a web application that allows you to create and\nshare documents that contain live code, equations, visualizations, and\nexplanatory text. The Notebook has support for multiple programming\nlanguages, sharing, and interactive widgets.\");\n\n script_tag(name:\"affected\", value:\"'python-notebook' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python-notebook\", rpm:\"python-notebook~5.7.2~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:40", "bulletinFamily": "unix", "cvelist": ["CVE-2018-19351", "CVE-2018-19352"], "description": "Arch Linux Security Advisory ASA-201812-1\n=========================================\n\nSeverity: Medium\nDate : 2018-12-06\nCVE-ID : CVE-2018-19351 CVE-2018-19352\nPackage : jupyter-notebook\nType : cross-site scripting\nRemote : No\nLink : https://security.archlinux.org/AVG-820\n\nSummary\n=======\n\nThe package jupyter-notebook before version 5.7.2-1 is vulnerable to\ncross-site scripting.\n\nResolution\n==========\n\nUpgrade to 5.7.2-1.\n\n# pacman -Syu \"jupyter-notebook>=5.7.2-1\"\n\nThe problems have been fixed upstream in version 5.7.2.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2018-19351 (cross-site scripting)\n\nA security issue has been found in Jupyter Notebook versions prior to\n5.7.1, where untrusted javascript could be executed if malicious files\ncould be delivered to the users system and the user takes specific\nactions with those malicious files. It allowed nbconvert endpoints\n(such as Print Preview) to render untrusted HTML and javascript with\naccess to the notebook server.\n\n- CVE-2018-19352 (cross-site scripting)\n\nA security issue has been found in Jupyter Notebook versions prior to\n5.7.2, where untrusted javascript could be executed if malicious files\ncould be delivered to the users system and the user takes specific\nactions with those malicious files. It allowed maliciously crafted\ndirectory names to execute javascript when opened in the tree view.\n\nImpact\n======\n\nA remote attacker is able to execute javascript and create html content\nby tricking users into opening and interacting with maliciously crafted\nnotebook files.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/60910\nhttps://blog.jupyter.org/jupyter-notebook-security-fixes-59817e86a711\nhttps://blog.jupyter.org/security-fix-for-jupyter-notebook-450f272b6932?gi=dbc3ae28c796\nhttps://security.archlinux.org/CVE-2018-19351\nhttps://security.archlinux.org/CVE-2018-19352", "modified": "2018-12-06T00:00:00", "published": "2018-12-06T00:00:00", "id": "ASA-201812-1", "href": "https://security.archlinux.org/ASA-201812-1", "type": "archlinux", "title": "[ASA-201812-1] jupyter-notebook: cross-site scripting", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-19351", "CVE-2018-19352"], "description": "The Jupyter Notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text. The Notebook has support for multiple programming languages, sharing, and interactive widgets. ", "modified": "2018-11-30T02:51:35", "published": "2018-11-30T02:51:35", "id": "FEDORA:6C884604AF9F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: python-notebook-5.7.2-1.fc29", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-19351", "CVE-2018-19352"], "description": "The Jupyter Notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text. The Notebook has support for multiple programming languages, sharing, and interactive widgets. ", "modified": "2018-12-11T01:57:09", "published": "2018-12-11T01:57:09", "id": "FEDORA:2C55960A35C1", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: python-notebook-5.5.0-6.fc28", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10255", "CVE-2019-9644"], "description": "The Jupyter Notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text. The Notebook has support for multiple programming languages, sharing, and interactive widgets. ", "modified": "2019-04-08T00:02:04", "published": "2019-04-08T00:02:04", "id": "FEDORA:DE8796030B2C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: python-notebook-5.7.8-1.fc30", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-07T10:20:56", "description": "Security fix for CVE-2018-19351, CVE-2018-19352\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : python-notebook (2018-b9581d9624)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19351", "CVE-2018-19352"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python-notebook", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-B9581D9624.NASL", "href": "https://www.tenable.com/plugins/nessus/120736", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-b9581d9624.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120736);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-19351\", \"CVE-2018-19352\");\n script_xref(name:\"FEDORA\", value:\"2018-b9581d9624\");\n\n script_name(english:\"Fedora 28 : python-notebook (2018-b9581d9624)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2018-19351, CVE-2018-19352\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-b9581d9624\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-notebook package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/11/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"python-notebook-5.5.0-6.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-notebook\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T10:20:54", "description": "Update to 5.7.2, fix CVE-2018-19351, CVE-2018-19352\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 29 : python-notebook (2018-b792d607fd)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19351", "CVE-2018-19352"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python-notebook", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2018-B792D607FD.NASL", "href": "https://www.tenable.com/plugins/nessus/120730", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-b792d607fd.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120730);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-19351\", \"CVE-2018-19352\");\n script_xref(name:\"FEDORA\", value:\"2018-b792d607fd\");\n\n script_name(english:\"Fedora 29 : python-notebook (2018-b792d607fd)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to 5.7.2, fix CVE-2018-19351, CVE-2018-19352\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-b792d607fd\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-notebook package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/11/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"python-notebook-5.7.2-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-notebook\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-02-01T02:35:45", "description": "Security fix for CVE-2019-10255, CVE-2019-9644.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-04-12T00:00:00", "title": "Fedora 29 : python-notebook (2019-9e67979b2a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9644", "CVE-2019-10255"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python-notebook", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2019-9E67979B2A.NASL", "href": "https://www.tenable.com/plugins/nessus/124010", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-9e67979b2a.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124010);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/23\");\n\n script_cve_id(\"CVE-2019-10255\", \"CVE-2019-9644\");\n script_xref(name:\"FEDORA\", value:\"2019-9e67979b2a\");\n\n script_name(english:\"Fedora 29 : python-notebook (2019-9e67979b2a)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2019-10255, CVE-2019-9644.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-9e67979b2a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-notebook package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"python-notebook-5.7.8-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-notebook\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-01T02:36:18", "description": "Security fix for CVE-2019-10255, CVE-2019-9644.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-05-02T00:00:00", "title": "Fedora 30 : python-notebook (2019-a6e1287e76)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-9644", "CVE-2019-10255"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:python-notebook", "cpe:/o:fedoraproject:fedora:30"], "id": "FEDORA_2019-A6E1287E76.NASL", "href": "https://www.tenable.com/plugins/nessus/124526", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-a6e1287e76.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124526);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/21\");\n\n script_cve_id(\"CVE-2019-10255\", \"CVE-2019-9644\");\n script_xref(name:\"FEDORA\", value:\"2019-a6e1287e76\");\n\n script_name(english:\"Fedora 30 : python-notebook (2019-a6e1287e76)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2019-10255, CVE-2019-9644.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-a6e1287e76\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected python-notebook package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:python-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:30\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^30([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 30\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC30\", reference:\"python-notebook-5.7.8-1.fc30\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-notebook\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-01T02:57:52", "description": "Jupyter blog :\n\nLogin pages tend to take a parameter for redirecting back to a page\nafter successful login, e.g. /login?next=/notebooks/mynotebook.ipynb,\nso that you aren't disrupted too much if you try to visit a page, but\nhave to authenticate first. An Open Redirect Vulnerability is when a\nmalicious person crafts a link pointing to the login page of a trusted\nsite, but setting the 'redirect after successful login' parameter to\nsend the user to their own site, instead of a page on the\nauthenticated site (the notebook or JupyterHub server), e.g.\n/login?next=http://badwebsite.biz. This doesn't necessarily compromise\nanything immediately, but it enables phishing if users don't notice\nthat the domain has changed, e.g. by showing a fake 're-enter your\npassword' page. Servers generally have to validate the redirect URL to\navoid this. Both JupyterHub and Notebook already do this, but the\nvalidation didn't take into account all possible ways to redirect to\nother sites, so some malicious URLs could still be crafted to redirect\naway from the server (the above example does not work in any recent\nversion of either package). Only certain browsers (Chrome and Firefox,\nnot Safari) could be redirected from the JupyterHub login page, but\nall browsers could be redirected away from a standalone notebook\nserver.", "edition": 19, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-04-01T00:00:00", "title": "FreeBSD : Jupyter notebook -- open redirect vulnerability (fe7e322f-522d-11e9-98b5-216e512dad89)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10255"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:py37-notebook", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:py35-notebook", "p-cpe:/a:freebsd:freebsd:py27-notebook", "p-cpe:/a:freebsd:freebsd:py36-notebook"], "id": "FREEBSD_PKG_FE7E322F522D11E998B5216E512DAD89.NASL", "href": "https://www.tenable.com/plugins/nessus/123540", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(123540);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/27\");\n\n script_cve_id(\"CVE-2019-10255\");\n\n script_name(english:\"FreeBSD : Jupyter notebook -- open redirect vulnerability (fe7e322f-522d-11e9-98b5-216e512dad89)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jupyter blog :\n\nLogin pages tend to take a parameter for redirecting back to a page\nafter successful login, e.g. /login?next=/notebooks/mynotebook.ipynb,\nso that you aren't disrupted too much if you try to visit a page, but\nhave to authenticate first. An Open Redirect Vulnerability is when a\nmalicious person crafts a link pointing to the login page of a trusted\nsite, but setting the 'redirect after successful login' parameter to\nsend the user to their own site, instead of a page on the\nauthenticated site (the notebook or JupyterHub server), e.g.\n/login?next=http://badwebsite.biz. This doesn't necessarily compromise\nanything immediately, but it enables phishing if users don't notice\nthat the domain has changed, e.g. by showing a fake 're-enter your\npassword' page. Servers generally have to validate the redirect URL to\navoid this. Both JupyterHub and Notebook already do this, but the\nvalidation didn't take into account all possible ways to redirect to\nother sites, so some malicious URLs could still be crafted to redirect\naway from the server (the above example does not work in any recent\nversion of either package). Only certain browsers (Chrome and Firefox,\nnot Safari) could be redirected from the JupyterHub login page, but\nall browsers could be redirected away from a standalone notebook\nserver.\"\n );\n # https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?57bc774a\"\n );\n # https://github.com/jupyter/notebook/blob/master/docs/source/changelog.rst\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1ee366c1\"\n );\n # https://vuxml.freebsd.org/freebsd/fe7e322f-522d-11e9-98b5-216e512dad89.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?765540ed\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py27-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py35-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py36-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:py37-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"py27-notebook<5.7.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py35-notebook<5.7.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py36-notebook<5.7.8\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"py37-notebook<5.7.8\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-11-26T09:36:19", "description": "Several vulnerabilities have been discovered in jupyter-notebook.\n\nCVE-2018-8768\n\nA maliciously forged notebook file can bypass sanitization to execute\nJavaScript in the notebook context. Specifically, invalid HTML is\n'fixed' by jQuery after sanitization, making it dangerous.\n\nCVE-2018-19351\n\nallows XSS via an untrusted notebook because nbconvert responses are\nconsidered to have the same origin as the notebook server.\n\nCVE-2018-21030\n\njupyter-notebook does not use a CSP header to treat served files as\nbelonging to a separate origin. Thus, for example, an XSS payload can\nbe placed in an SVG document.\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.2.3-4+deb9u1.\n\nWe recommend that you upgrade your jupyter-notebook packages.\n\nFor the detailed security status of jupyter-notebook please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/jupyter-notebook\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 2, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2020-11-19T00:00:00", "title": "Debian DLA-2432-1 : jupyter-notebook security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-21030", "CVE-2018-19351", "CVE-2018-8768"], "modified": "2020-11-19T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:python-notebook", "p-cpe:/a:debian:debian_linux:jupyter-notebook", "p-cpe:/a:debian:debian_linux:python-notebook-doc", "p-cpe:/a:debian:debian_linux:python3-notebook", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2432.NASL", "href": "https://www.tenable.com/plugins/nessus/143107", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2432-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143107);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/25\");\n\n script_cve_id(\"CVE-2018-19351\", \"CVE-2018-21030\", \"CVE-2018-8768\");\n\n script_name(english:\"Debian DLA-2432-1 : jupyter-notebook security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities have been discovered in jupyter-notebook.\n\nCVE-2018-8768\n\nA maliciously forged notebook file can bypass sanitization to execute\nJavaScript in the notebook context. Specifically, invalid HTML is\n'fixed' by jQuery after sanitization, making it dangerous.\n\nCVE-2018-19351\n\nallows XSS via an untrusted notebook because nbconvert responses are\nconsidered to have the same origin as the notebook server.\n\nCVE-2018-21030\n\njupyter-notebook does not use a CSP header to treat served files as\nbelonging to a separate origin. Thus, for example, an XSS payload can\nbe placed in an SVG document.\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.2.3-4+deb9u1.\n\nWe recommend that you upgrade your jupyter-notebook packages.\n\nFor the detailed security status of jupyter-notebook please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/jupyter-notebook\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/11/msg00033.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/jupyter-notebook\"\n );\n # https://security-tracker.debian.org/tracker/source-package/jupyter-notebook\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e187e811\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8768\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:jupyter-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-notebook-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3-notebook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"jupyter-notebook\", reference:\"4.2.3-4+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python-notebook\", reference:\"4.2.3-4+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python-notebook-doc\", reference:\"4.2.3-4+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"python3-notebook\", reference:\"4.2.3-4+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2020-03-10T23:26:07", "bulletinFamily": "software", "cvelist": ["CVE-2018-19352"], "description": "Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.", "edition": 2, "modified": "2019-07-03T21:02:05", "published": "2018-11-21T22:19:22", "id": "GHSA-3P4Q-X8F3-P7VQ", "href": "https://github.com/advisories/GHSA-3p4q-x8f3-p7vq", "title": "Moderate severity vulnerability that affects notebook", "type": "github", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-10T23:26:07", "bulletinFamily": "software", "cvelist": ["CVE-2018-19351"], "description": "Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.", "edition": 2, "modified": "2019-07-03T21:02:05", "published": "2018-11-21T22:15:47", "id": "GHSA-49QR-XH3W-H436", "href": "https://github.com/advisories/GHSA-49qr-xh3w-h436", "title": "Moderate severity vulnerability that affects notebook", "type": "github", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-10T23:26:03", "bulletinFamily": "software", "cvelist": ["CVE-2019-10255"], "description": "An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.8 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.6 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.", "edition": 3, "modified": "2019-07-03T21:02:07", "published": "2019-04-02T15:46:54", "id": "GHSA-RV62-4PMJ-XW6H", "href": "https://github.com/advisories/GHSA-rv62-4pmj-xw6h", "title": "Moderate severity vulnerability that affects jupyterhub and notebook", "type": "github", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:31:45", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10255"], "description": "\nJupyter blog:\n\nLogin pages tend to take a parameter for redirecting back to a page\n\t after successful login, e.g. /login?next=/notebooks/mynotebook.ipynb, so\n\t that you aren't disrupted too much if you try to visit a page, but have\n\t to authenticate first. An Open Redirect Vulnerability is when a\n\t malicious person crafts a link pointing to the login page of a trusted\n\t site, but setting the \"redirect after successful login\" parameter to\n\t send the user to their own site, instead of a page on the authenticated\n\t site (the notebook or JupyterHub server), e.g.\n\t /login?next=http://badwebsite.biz. This doesn't necessarily compromise\n\t anything immediately, but it enables phishing if users don't notice\n\t that the domain has changed, e.g. by showing a fake \"re-enter your\n\t password\" page. Servers generally have to validate the redirect URL to\n\t avoid this. Both JupyterHub and Notebook already do this, but the\n\t validation didn't take into account all possible ways to redirect to\n\t other sites, so some malicious URLs could still be crafted to redirect\n\t away from the server (the above example does not work in any recent\n\t version of either package). Only certain browsers (Chrome and Firefox,\n\t not Safari) could be redirected from the JupyterHub login page, but all\n\t browsers could be redirected away from a standalone notebook server.\n\n", "edition": 3, "modified": "2019-04-06T00:00:00", "published": "2019-03-28T00:00:00", "id": "FE7E322F-522D-11E9-98B5-216E512DAD89", "href": "https://vuxml.freebsd.org/freebsd/fe7e322f-522d-11e9-98b5-216e512dad89.html", "title": "Jupyter notebook -- open redirect vulnerability", "type": "freebsd", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "debian": [{"lastseen": "2020-11-19T13:19:39", "bulletinFamily": "unix", "cvelist": ["CVE-2018-21030", "CVE-2018-19351", "CVE-2018-8768"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2432-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Abhijith PA\nNovember 19, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : jupyter-notebook\nVersion : 4.2.3-4+deb9u1\nCVE ID : CVE-2018-8768 CVE-2018-19351 CVE-2018-21030\nDebian Bug : 893436 917409\n\nSeveral vulnerabilities have been discovered in jupyter-notebook.\n\nCVE-2018-8768\n\n A maliciously forged notebook file can bypass sanitization to execute\n Javascript in the notebook context. Specifically, invalid HTML is\n 'fixed' by jQuery after sanitization, making it dangerous.\n\nCVE-2018-19351\n\n allows XSS via an untrusted notebook because nbconvert responses are\n considered to have the same origin as the notebook server.\n\nCVE-2018-21030\n\n jupyter-notebook does not use a CSP header to treat served files as\n belonging to a separate origin. Thus, for example, an XSS payload can\n be placed in an SVG document.\n\nFor Debian 9 stretch, these problems have been fixed in version\n4.2.3-4+deb9u1.\n\nWe recommend that you upgrade your jupyter-notebook packages.\n\nFor the detailed security status of jupyter-notebook please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/jupyter-notebook\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2020-11-19T04:54:03", "published": "2020-11-19T04:54:03", "id": "DEBIAN:DLA-2432-1:BE758", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202011/msg00033.html", "title": "[SECURITY] [DLA 2432-1] jupyter-notebook security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
