PYSEC-2014-21

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/ipython/PYSEC-2014-21.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2014-21

Aliases

CVE-2014-3429
GHSA-75cw-5cgv-g853

Published

2014-08-07T11:13:00Z

Modified

2024-04-29T12:11:21.983385Z

Summary

[none]

Details

IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.

References

http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
http://seclists.org/oss-sec/2014/q3/152
https://bugzilla.redhat.com/show_bug.cgi?id=1119890
https://github.com/ipython/ipython/pull/4845
http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:160
http://advisories.mageia.org/MGASA-2014-0320.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/94497

Affected packages

PyPI / ipython

Package

Name: ipython; View open source insights on deps.dev
Purl: pkg:pypi/ipython

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.12

Fixed

1.2.0

Affected versions

0.*

0.12

0.12.1

0.13

0.13.1

0.13.2

1.*

1.0.0

1.1.0