The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
CVE-2021-32798 - Critical Severity Vulnerability
Jupyter Notebook - A web-based notebook environment for interactive computing
Library home page: https://files.pythonhosted.org/packages/d0/ca/a5a5ac9c839868ceddaa2672c399492ac1dbd4c4ce68f833a72a619fc225/notebook-5.4.0-py2.py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Container-Security-With-JenkinsCI/requirements.txt
Path to vulnerable library: /Container-Security-With-JenkinsCI/requirements.txt
Dependency Hierarchy: - :x: **notebook-5.4.0-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
Publish Date: 2021-08-09
URL: CVE-2021-32798
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797
Release Date: 2021-08-09
Fix Resolution: 5.7.7
Step up your Open Source Security Game with Mend here