CVE-2024-43805

jupyterlab is an extensible environment for interactive and reproducible
computing, based on the Jupyter Notebook Architecture. This vulnerability
depends on user interaction by opening a malicious notebook with Markdown
cells, or Markdown file using JupyterLab preview feature. A malicious user
can access any data that the attacked user has access to as well as perform
arbitrary requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5
and Jupyter Notebook v7.2.2 have been patched to resolve this issue. Users
are advised to upgrade. There is no workaround for the underlying DOM
Clobbering susceptibility. However, select plugins can be disabled on
deployments which cannot update in a timely fashion to minimise the risk.
These are: 1. @jupyterlab/mathjax-extension:plugin - users will loose
ability to preview mathematical equations. 2.
@jupyterlab/markdownviewer-extension:plugin - users will loose ability to
open Markdown previews. 3. @jupyterlab/mathjax2-extension:plugin (if
installed with optional jupyterlab-mathjax2 package) - an older version
of the mathjax plugin for JupyterLab 4.x. To disable these extensions run:

&& jupyter labextension disable @jupyterlab/mathjax-extension:plugin &&
jupyter labextension disable @jupyterlab/mathjax2-extension:plugin ``` in
bash.