notebook@4.3.0 vulnerabilities

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Access Restriction Bypass. When a fully authenticated request is sent to the notebook server which is configured with ContentsManager.allow_hidden = False, it is possible to access arbitrary hidden files or arbitrary files in hidden directories.

Upgrade notebook to version 6.4.12 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Information Exposure by storing sensitive authentication cookies and other header values whenever an HTTP 5XX error is triggered in the server logs by default.

Upgrade notebook to version 6.4.10 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). HTML forms in Firefox do not send an Origin header, therefore it's possible to submit a POST request with an empty body to trigger certain actions, such as starting a kernel, avoiding the existing origin checks.

Upgrade notebook to version 4.3.1 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Arbitrary Code Execution. An untrusted notebook can execute code on load due to failure of sanitizing special elements into a different plane.

Upgrade notebook to version 5.7.11, 6.4.1 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Open Redirect. It is possible to maliciously craft links can only be reasonably made for known notebook server hosts. This could be used to redirect to a spoofed server on the public internet.

Upgrade notebook to version 6.1.5 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not use a CSP header to treat served files as belonging to a separate origin. Thus, for example, an XSS payload can be placed in an SVG document.

Upgrade notebook to version 5.5.0 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Remote Code Execution. A maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

Upgrade notebook to version 5.4.1 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Open Redirect via an empty netloc path. This issue exists because of an incomplete fix for CVE-2019-10255.

Upgrade notebook to version 5.7.8 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.

Upgrade notebook to version 5.7.7 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Cross-site Inclusion. This is due to the package allowing inclusion of resources on malicious pages when visited by users who are authenticated via a Jupyter server.

Upgrade notebook to version 5.7.6 or higher.

notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.

Upgrade jupyter_notebook to version 5.7.2 or higher.

notebook is a web application that allows you to create and share documents that contain live code, equations, visualizations, and explanatory text.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server.

Upgrade notebook to version 5.7.1 or higher.

notebook is a web-based notebook environment for interactive computing.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) attacks due to improper validation of the CSRF token. A malicious user may be able to spawn new kernels and create empty, untitled files on the user's notebook server.

Note: This affects users of Firefox or Microsoft (IE, Edge) browsers, and any other browsers that do not set the Origin header on cross-site forms. WebKit and Blink based browsers like Safari and Chrome are not affected.