CVE-2018-8768

HIGH7.8EPSS 0.11%

Jupyter Notebook file bypasses sanitization, executes JavaScript

Published: 7/12/2018Modified: 12/7/2024

Also known as:GHSA-6cwv-x26c-w2q4DEBIAN-CVE-2018-8768PYSEC-2018-57

Description

In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Affected packages (4)

Debian/ipythonfrom 0, < 5.1.0-2
Debian/jupyter-notebookfrom 0, < 5.4.1-1
PyPI/notebookfrom 0, < 5.4.1
PyPI/notebookfrom 0, < 5.4.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH7.8	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (7)

ADVISORYhttps://github.com/advisories/GHSA-6cwv-x26c-w2q4
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-8768
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-8768
PATCHhttps://github.com/jupyter/notebook
WEBhttp://openwall.com/lists/oss-security/2018/03/15/2
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2018-57.yaml
WEBhttps://lists.debian.org/debian-lts-announce/2020/11/msg00033.html