Cross-site Scripting (XSS) Affecting jupyter-notebook package, versions <5.7.4-1


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment

    Threat Intelligence

    EPSS
    0.19% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN10-JUPYTERNOTEBOOK-268690
  • published 2 Dec 2018
  • disclosed 18 Nov 2018

How to fix?

Upgrade Debian:10 jupyter-notebook to version 5.7.4-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream jupyter-notebook package and not the jupyter-notebook package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.