*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-39286
### Vulnerable Library - jupyter_core-4.6.3-py2.py3-none-any.whl
Jupyter core package. A base package on which Jupyter projects rely.
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-21699
### Vulnerable Library - ipython-5.10.0-py2-none-any.whl
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-34749
### Vulnerable Library - mistune-0.8.4-py2.py3-none-any.whl
A sane and fast Markdown parser with useful plugins and renderers
In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24758
### Vulnerable Library - notebook-5.7.10-py2.py3-none-any.whl
Jupyter Notebook - A web-based notebook environment for interactive computing
The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-24816
### Vulnerable Library - ipython-5.10.0-py2-none-any.whl
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function `IPython.utils.terminal.set_term_title` be called on Windows in a Python environment where ctypes is not available. The dependency on `ctypes` in `IPython.utils._process_win32` prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool `set_term_title` could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the `IPython.utils.terminal.set_term_title` function are done with trusted or filtered input.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2021-0011
### Vulnerable Library - bleach-3.1.5-py2.py3-none-any.whl
In Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22195
### Vulnerable Library - Jinja2-2.11.2-py2.py3-none-any.whl
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-28370
### Vulnerable Library - tornado-5.1.1.tar.gz
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Open redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2023-05-25
Fix Resolution: tornado - 6.3.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-26215
### Vulnerable Library - notebook-5.7.10-py2.py3-none-any.whl
Jupyter Notebook - A web-based notebook environment for interactive computing
Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-34064
### Vulnerable Library - Jinja2-2.11.2-py2.py3-none-any.whl
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32862
### Vulnerable Libraries - nbconvert-5.6.1-py2.py3-none-any.whl, nbconvert-5.5.0-py2.py3-none-any.whl
### nbconvert-5.6.1-py2.py3-none-any.whl
Converting Jupyter Notebooks (.ipynb files) to other formats. Output formats include asciidoc, html, latex, markdown, pdf, py, rst, script. nbconvert can be used both as a Python library (`import nbconvert`) or as a command line tool (invoked as `jupyter nbconvert ...`).
Converting Jupyter Notebooks (.ipynb files) to other formats. Output formats include asciidoc, html, latex, markdown, pdf, py, rst, script. nbconvert can be used both as a Python library (`import nbconvert`) or as a command line tool (invoked as `jupyter nbconvert ...`).
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28493
### Vulnerable Library - Jinja2-2.11.2-py2.py3-none-any.whl
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-29238
### Vulnerable Library - notebook-5.7.10-py2.py3-none-any.whl
Jupyter Notebook - A web-based notebook environment for interactive computing
Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/test/sample-test/requirements.txt,/backend/requirements.txt
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-32798
### Vulnerable Library - notebook-5.7.10-py2.py3-none-any.whlJupyter Notebook - A web-based notebook environment for interactive computing
Library home page: https://files.pythonhosted.org/packages/7a/fb/6b1735e8ff43f68e867928526134cd6ba22554d596862a7fe71092ba8fc8/notebook-5.7.10-py2.py3-none-any.whl
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/test/sample-test/requirements.txt,/backend/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - :x: **notebook-5.7.10-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs.
Publish Date: 2021-08-09
URL: CVE-2021-32798
### CVSS 3 Score Details (9.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797
Release Date: 2021-08-09
Fix Resolution: notebook - 5.7.11, 6.4.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-39286
### Vulnerable Library - jupyter_core-4.6.3-py2.py3-none-any.whlJupyter core package. A base package on which Jupyter projects rely.
Library home page: https://files.pythonhosted.org/packages/63/0d/df2d17cdf389cea83e2efa9a4d32f7d527ba78667e0153a8e676e957b2f7/jupyter_core-4.6.3-py2.py3-none-any.whl
Path to dependency file: /test/sample-test/requirements.txt
Path to vulnerable library: /test/sample-test/requirements.txt,/backend/requirements.txt,/backend/src/apiserver/visualization/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - ipykernel-4.10.1-py2-none-any.whl - jupyter_client-5.3.5-py2.py3-none-any.whl - :x: **jupyter_core-4.6.3-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsJupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
Publish Date: 2022-10-26
URL: CVE-2022-39286
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3363
Release Date: 2022-10-26
Fix Resolution: jupyter-core - 4.11.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-21699
### Vulnerable Library - ipython-5.10.0-py2-none-any.whlIPython: Productive Interactive Computing
Library home page: https://files.pythonhosted.org/packages/ce/2c/2849a2b37024a01a847c87d81825c0489eb22ffc6416cac009bf281ea838/ipython-5.10.0-py2-none-any.whl
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/test/sample-test/requirements.txt,/backend/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - ipykernel-4.10.1-py2-none-any.whl - :x: **ipython-5.10.0-py2-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cross user temporary files. This vulnerability allows one user to run code as another on the same machine. All users are advised to upgrade.
Publish Date: 2022-01-19
URL: CVE-2022-21699
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/ipython/ipython/security/advisories/GHSA-pq7m-3gw7-gq5x
Release Date: 2022-01-19
Fix Resolution: ipython - 5.11,7.16.3,7.31.1,8.0.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-34749
### Vulnerable Library - mistune-0.8.4-py2.py3-none-any.whlA sane and fast Markdown parser with useful plugins and renderers
Library home page: https://files.pythonhosted.org/packages/09/ec/4b43dae793655b7d8a25f76119624350b4d65eb663459eb9603d7f1f0345/mistune-0.8.4-py2.py3-none-any.whl
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/test/sample-test/requirements.txt,/backend/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - notebook-5.7.10-py2.py3-none-any.whl - nbconvert-5.5.0-py2.py3-none-any.whl - :x: **mistune-0.8.4-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
Publish Date: 2022-07-25
URL: CVE-2022-34749
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-fw3v-x4f2-v673
Release Date: 2022-07-25
Fix Resolution: mistune - 2.0.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-24758
### Vulnerable Library - notebook-5.7.10-py2.py3-none-any.whlJupyter Notebook - A web-based notebook environment for interactive computing
Library home page: https://files.pythonhosted.org/packages/7a/fb/6b1735e8ff43f68e867928526134cd6ba22554d596862a7fe71092ba8fc8/notebook-5.7.10-py2.py3-none-any.whl
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/test/sample-test/requirements.txt,/backend/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - :x: **notebook-5.7.10-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
Publish Date: 2022-03-31
URL: CVE-2022-24758
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jupyter/notebook/security/advisories/GHSA-m87f-39q9-6f55
Release Date: 2022-03-31
Fix Resolution: notebook - 6.4.10
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-24816
### Vulnerable Library - ipython-5.10.0-py2-none-any.whlIPython: Productive Interactive Computing
Library home page: https://files.pythonhosted.org/packages/ce/2c/2849a2b37024a01a847c87d81825c0489eb22ffc6416cac009bf281ea838/ipython-5.10.0-py2-none-any.whl
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/test/sample-test/requirements.txt,/backend/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - ipykernel-4.10.1-py2-none-any.whl - :x: **ipython-5.10.0-py2-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Versions prior to 8.1.0 are subject to a command injection vulnerability with very specific prerequisites. This vulnerability requires that the function `IPython.utils.terminal.set_term_title` be called on Windows in a Python environment where ctypes is not available. The dependency on `ctypes` in `IPython.utils._process_win32` prevents the vulnerable code from ever being reached in the ipython binary. However, as a library that could be used by another tool `set_term_title` could be called and hence introduce a vulnerability. Should an attacker get untrusted input to an instance of this function they would be able to inject shell commands as current process and limited to the scope of the current process. Users of ipython as a library are advised to upgrade. Users unable to upgrade should ensure that any calls to the `IPython.utils.terminal.set_term_title` function are done with trusted or filtered input.
Publish Date: 2023-02-10
URL: CVE-2023-24816
### CVSS 3 Score Details (7.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-24816
Release Date: 2023-02-10
Fix Resolution: ipython - 8.10.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2021-0011
### Vulnerable Library - bleach-3.1.5-py2.py3-none-any.whlAn easy safelist-based HTML-sanitizing tool.
Library home page: https://files.pythonhosted.org/packages/9a/1e/7d6cb3b27cd2c490558349ca5d5cc05b390b017da1c704cac807ac8bd9fb/bleach-3.1.5-py2.py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/test/sample-test/requirements.txt,/backend/src/apiserver/visualization/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - notebook-5.7.10-py2.py3-none-any.whl - nbconvert-5.5.0-py2.py3-none-any.whl - :x: **bleach-3.1.5-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIn Mozilla Bleach before 3.3.0, a mutation XSS in bleach.clean when p, br, style, title, noscript, script, textarea, noframes, iframe, or xmp and either svg or math tags are whitelisted and the keyword argument strip_comments=False.
Publish Date: 2021-02-01
URL: WS-2021-0011
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vv2x-vrpj-qqpq
Release Date: 2021-02-01
Fix Resolution: bleach - 3.3.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22195
### Vulnerable Library - Jinja2-2.11.2-py2.py3-none-any.whlA very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl
Path to dependency file: /test/sample-test/requirements.txt
Path to vulnerable library: /test/sample-test/requirements.txt,/backend/requirements.txt,/backend/src/apiserver/visualization/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - notebook-5.7.10-py2.py3-none-any.whl - :x: **Jinja2-2.11.2-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsJinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` filter can be abused to inject arbitrary HTML attribute keys and values, bypassing the auto escaping mechanism and potentially leading to XSS. It may also be possible to bypass attribute validation checks if they are blacklist-based.
Publish Date: 2024-01-11
URL: CVE-2024-22195
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
Release Date: 2024-01-11
Fix Resolution: jinja2 - 3.1.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-28370
### Vulnerable Library - tornado-5.1.1.tar.gzTornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Library home page: https://files.pythonhosted.org/packages/e6/78/6e7b5af12c12bdf38ca9bfe863fcaf53dc10430a312d0324e76c1e5ca426/tornado-5.1.1.tar.gz
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/backend/requirements.txt,/test/sample-test/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - ipykernel-4.10.1-py2-none-any.whl - :x: **tornado-5.1.1.tar.gz** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsOpen redirect vulnerability in Tornado versions 6.3.1 and earlier allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having user access a specially crafted URL.
Publish Date: 2023-05-25
URL: CVE-2023-28370
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-05-25
Fix Resolution: tornado - 6.3.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-26215
### Vulnerable Library - notebook-5.7.10-py2.py3-none-any.whlJupyter Notebook - A web-based notebook environment for interactive computing
Library home page: https://files.pythonhosted.org/packages/7a/fb/6b1735e8ff43f68e867928526134cd6ba22554d596862a7fe71092ba8fc8/notebook-5.7.10-py2.py3-none-any.whl
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/test/sample-test/requirements.txt,/backend/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - :x: **notebook-5.7.10-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsJupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5.
Publish Date: 2020-11-18
URL: CVE-2020-26215
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jupyter/notebook/security/advisories/GHSA-c7vm-f5p4-8fqh
Release Date: 2020-11-18
Fix Resolution: 6.1.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-34064
### Vulnerable Library - Jinja2-2.11.2-py2.py3-none-any.whlA very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl
Path to dependency file: /test/sample-test/requirements.txt
Path to vulnerable library: /test/sample-test/requirements.txt,/backend/requirements.txt,/backend/src/apiserver/visualization/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - notebook-5.7.10-py2.py3-none-any.whl - :x: **Jinja2-2.11.2-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsJinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an application accepts keys (as opposed to only values) as user input, and renders these in pages that other users see as well, an attacker could use this to inject other attributes and perform XSS. The fix for CVE-2024-22195 only addressed spaces but not other characters. Accepting keys as user input is now explicitly considered an unintended use case of the `xmlattr` filter, and code that does so without otherwise validating the input should be flagged as insecure, regardless of Jinja version. Accepting _values_ as user input continues to be safe. This vulnerability is fixed in 3.1.4.
Publish Date: 2024-05-06
URL: CVE-2024-34064
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj
Release Date: 2024-05-06
Fix Resolution: Jinja2 - 3.1.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-32862
### Vulnerable Libraries - nbconvert-5.6.1-py2.py3-none-any.whl, nbconvert-5.5.0-py2.py3-none-any.whl### nbconvert-5.6.1-py2.py3-none-any.whl
Converting Jupyter Notebooks (.ipynb files) to other formats. Output formats include asciidoc, html, latex, markdown, pdf, py, rst, script. nbconvert can be used both as a Python library (`import nbconvert`) or as a command line tool (invoked as `jupyter nbconvert ...`).
Library home page: https://files.pythonhosted.org/packages/79/6c/05a569e9f703d18aacb89b7ad6075b404e8a4afde2c26b73ca77bb644b14/nbconvert-5.6.1-py2.py3-none-any.whl
Path to dependency file: /backend/requirements.txt
Path to vulnerable library: /backend/requirements.txt,/test/sample-test/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - :x: **nbconvert-5.6.1-py2.py3-none-any.whl** (Vulnerable Library) ### nbconvert-5.5.0-py2.py3-none-any.whl
Converting Jupyter Notebooks (.ipynb files) to other formats. Output formats include asciidoc, html, latex, markdown, pdf, py, rst, script. nbconvert can be used both as a Python library (`import nbconvert`) or as a command line tool (invoked as `jupyter nbconvert ...`).
Library home page: https://files.pythonhosted.org/packages/35/e7/f46c9d65f149271e47fca6ab084ef5c6e4cb1870f4c5cce6690feac55231/nbconvert-5.5.0-py2.py3-none-any.whl
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - :x: **nbconvert-5.5.0-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThe GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server (eg: nbviewer).
Publish Date: 2022-08-18
URL: CVE-2021-32862
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9jmq-rx5f-8jwq
Release Date: 2022-08-18
Fix Resolution: nbconvert - 6.3.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-28493
### Vulnerable Library - Jinja2-2.11.2-py2.py3-none-any.whlA very fast and expressive template engine.
Library home page: https://files.pythonhosted.org/packages/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl
Path to dependency file: /test/sample-test/requirements.txt
Path to vulnerable library: /test/sample-test/requirements.txt,/backend/requirements.txt,/backend/src/apiserver/visualization/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - notebook-5.7.10-py2.py3-none-any.whl - :x: **Jinja2-2.11.2-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsThis affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Publish Date: 2021-02-01
URL: CVE-2020-28493
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28493
Release Date: 2021-02-01
Fix Resolution: Jinja2 - 2.11.3
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-29238
### Vulnerable Library - notebook-5.7.10-py2.py3-none-any.whlJupyter Notebook - A web-based notebook environment for interactive computing
Library home page: https://files.pythonhosted.org/packages/7a/fb/6b1735e8ff43f68e867928526134cd6ba22554d596862a7fe71092ba8fc8/notebook-5.7.10-py2.py3-none-any.whl
Path to dependency file: /backend/src/apiserver/visualization/requirements.txt
Path to vulnerable library: /backend/src/apiserver/visualization/requirements.txt,/test/sample-test/requirements.txt,/backend/requirements.txt
Dependency Hierarchy: - jupyter-1.0.0-py2.py3-none-any.whl (Root Library) - :x: **notebook-5.7.10-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsJupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed. Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. `~/.ssh` while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed. Version 6.4.12 contains a patch for this issue. There are currently no known workarounds.
Publish Date: 2022-06-14
URL: CVE-2022-29238
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg
Release Date: 2022-06-14
Fix Resolution: notebook - 6.4.12
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)