CVE-2024-22420

描述

### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. ### Patches JupyterLab v4.0.11 was patched. ### Workarounds Users can either disable the table of contents extension by running: ```bash jupyter labextension disable @jupyterlab/toc-extension:registry ``` ### References Vulnerability reported via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/).

受影響套件(6)

• Bitnami/jupyter-base-notebook>= 7.0.0
• Bitnami/jupyterlab>= 4.0.0, < 4.2.4
• Bitnami/jupyter-notebook>= 7.0.0, < 7.0.7
• Debian/jupyterlabfrom 0, < 4.0.11+ds1-1
• PyPI/jupyterlab>= 4.0.0, < 4.0.11
• PyPI/notebook>= 7.0.0, < 7.0.7

CVSS 分數

參考連結(8)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-22420
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-22420
• PATCHhttps://github.com/jupyterlab/jupyterlab
• WEBhttps://github.com/jupyterlab/jupyterlab/commit/dda0033cd49449572d077bbecd33b18d8d05f48a
• WEBhttps://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df
• WEBhttps://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H
• WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/