BIT-jupyterlab-2021-32797

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/jupyterlab/BIT-jupyterlab-2021-32797.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-jupyterlab-2021-32797

Aliases

Published

2024-03-06T10:54:25.501Z

Modified

2024-11-27T19:40:48.342Z

Summary

[none]

Details

JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html <form>. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook.

Database specific

{
    "cpes": [
        "cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / jupyterlab

Package

Name: jupyterlab
Purl: pkg:bitnami/jupyterlab

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.21

Introduced

2.0.0

Fixed

2.2.10

Introduced

2.3.0

Fixed

2.3.2

Introduced

3.0.0

Fixed

3.0.17

Introduced

3.1.0

Fixed

3.1.4