Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version.
Patches
JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.
Workarounds
No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.
This PR contains the following updates:
7.0.3->7.0.7GitHub Vulnerability Alerts
CVE-2024-22420
Impact
The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.
A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.
Patches
JupyterLab v4.0.11 was patched.
Workarounds
Users can either disable the table of contents extension by running:
References
Vulnerability reported via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
CVE-2024-22421
Impact
Users of JupyterLab who click on a malicious link may get their
AuthorizationandXSRFTokentokens exposed to a third party when running an olderjupyter-serverversion.Patches
JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.
Workarounds
No workaround has been identified, however users should ensure to upgrade
jupyter-serverto version 2.7.2 or newer which includes a redirect vulnerability fix.References
Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
Release Notes
jupyter/notebook (notebook)
### [`v7.0.7`](https://togithub.com/jupyter/notebook/releases/tag/v7.0.7) [Compare Source](https://togithub.com/jupyter/notebook/compare/v7.0.6...v7.0.7) #### 7.0.7 ([Full Changelog](https://togithub.com/jupyter/notebook/compare/@jupyter-notebook/application-extension@7.0.6...089c78c48fd00b2b0d2f33e4463eb42018e86803)) ##### Enhancements made - Update to JupyterLab 4.0.11 [#7215](https://togithub.com/jupyter/notebook/pull/7215) ([@krassowski](https://togithub.com/krassowski)) ##### Maintenance and upkeep improvements - Update ruff config and typing [#7145](https://togithub.com/jupyter/notebook/pull/7145) ([@blink1073](https://togithub.com/blink1073)) - Clean up lint handling [#7142](https://togithub.com/jupyter/notebook/pull/7142) ([@blink1073](https://togithub.com/blink1073)) - Adopt ruff format [#7132](https://togithub.com/jupyter/notebook/pull/7132) ([@blink1073](https://togithub.com/blink1073)) - \[7.0.x] Install stable JupyterLab 4.0 in the releaser hook [#7183](https://togithub.com/jupyter/notebook/pull/7183) ([@jtpio](https://togithub.com/jtpio)) - Update publish-release workflow for PyPI trusted publisher [#7176](https://togithub.com/jupyter/notebook/pull/7176) ([@jtpio](https://togithub.com/jtpio)) ##### Contributors to this release ([GitHub contributors page for this release](https://togithub.com/jupyter/notebook/graphs/contributors?from=2023-10-17\&to=2024-01-19\&type=c)) [@brichet](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Abrichet+updated%3A2023-10-17..2024-01-19\&type=Issues) | [@d5423197](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ad5423197+updated%3A2023-10-17..2024-01-19\&type=Issues) | [@github-actions](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Agithub-actions+updated%3A2023-10-17..2024-01-19\&type=Issues) | [@jtpio](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajtpio+updated%3A2023-10-17..2024-01-19\&type=Issues) | [@krassowski](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Akrassowski+updated%3A2023-10-17..2024-01-19\&type=Issues) | [@meeseeksmachine](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ameeseeksmachine+updated%3A2023-10-17..2024-01-19\&type=Issues) ### [`v7.0.6`](https://togithub.com/jupyter/notebook/blob/HEAD/CHANGELOG.md#706) [Compare Source](https://togithub.com/jupyter/notebook/compare/v7.0.5...v7.0.6) ([Full Changelog](https://togithub.com/jupyter/notebook/compare/@jupyter-notebook/app@7.0.5...c62caffb02856737870cbc79a2cdb43b3e89c363)) ##### Bugs fixed - Updated fav-icon Base URL from JupyterLab PageConfig. [#7109](https://togithub.com/jupyter/notebook/pull/7109) ([@jayeshsingh9767](https://togithub.com/jayeshsingh9767)) ##### Maintenance and upkeep improvements - Fix typings [#7110](https://togithub.com/jupyter/notebook/pull/7110) ([@jtpio](https://togithub.com/jtpio)) - Bump postcss from 8.4.27 to 8.4.31 [#7089](https://togithub.com/jupyter/notebook/pull/7089) ([@dependabot](https://togithub.com/dependabot)) ##### Contributors to this release ([GitHub contributors page for this release](https://togithub.com/jupyter/notebook/graphs/contributors?from=2023-10-12\&to=2023-10-17\&type=c)) [@dependabot](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Adependabot+updated%3A2023-10-12..2023-10-17\&type=Issues) | [@github-actions](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Agithub-actions+updated%3A2023-10-12..2023-10-17\&type=Issues) | [@jayeshsingh9767](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajayeshsingh9767+updated%3A2023-10-12..2023-10-17\&type=Issues) | [@jtpio](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajtpio+updated%3A2023-10-12..2023-10-17\&type=Issues) ### [`v7.0.5`](https://togithub.com/jupyter/notebook/blob/HEAD/CHANGELOG.md#705) [Compare Source](https://togithub.com/jupyter/notebook/compare/v7.0.4...v7.0.5) ([Full Changelog](https://togithub.com/jupyter/notebook/compare/@jupyter-notebook/app@7.0.4...839193d07f0780ded6f559892517f061f3776b02)) ##### Enhancements made - Update to JupyterLab 4.0.7 [#7103](https://togithub.com/jupyter/notebook/pull/7103) ([@jtpio](https://togithub.com/jtpio)) ##### Maintenance and upkeep improvements - Update `permissions` in the galata snapshot workflow [#7105](https://togithub.com/jupyter/notebook/pull/7105) ([@jtpio](https://togithub.com/jtpio)) - Fix typings check on CI [#7104](https://togithub.com/jupyter/notebook/pull/7104) ([@jtpio](https://togithub.com/jtpio)) - Ignore yarn.lock for codespell [#7098](https://togithub.com/jupyter/notebook/pull/7098) ([@jtpio](https://togithub.com/jtpio)) - Remove link to the PDF documentation [#7094](https://togithub.com/jupyter/notebook/pull/7094) ([@jtpio](https://togithub.com/jtpio)) - Bump postcss from 8.4.23 to 8.4.31 in /ui-tests [#7088](https://togithub.com/jupyter/notebook/pull/7088) ([@dependabot](https://togithub.com/dependabot)) - React to the galata update comment [#7086](https://togithub.com/jupyter/notebook/pull/7086) ([@jtpio](https://togithub.com/jtpio)) - Switch from `hub` to `gh` in the Playwright snapshots update workflow [#7085](https://togithub.com/jupyter/notebook/pull/7085) ([@jtpio](https://togithub.com/jtpio)) - chore: update pre-commit hooks [#7084](https://togithub.com/jupyter/notebook/pull/7084) ([@pre-commit-ci](https://togithub.com/pre-commit-ci)) - Fix traitlets typing [#7082](https://togithub.com/jupyter/notebook/pull/7082) ([@jtpio](https://togithub.com/jtpio)) - Bump toshimaru/auto-author-assign from 2.0.0 to 2.0.1 [#7080](https://togithub.com/jupyter/notebook/pull/7080) ([@dependabot](https://togithub.com/dependabot)) - Bump toshimaru/auto-author-assign from 1.6.2 to 2.0.0 [#7072](https://togithub.com/jupyter/notebook/pull/7072) ([@dependabot](https://togithub.com/dependabot)) - ci: set minimal permissions to workflows [#7070](https://togithub.com/jupyter/notebook/pull/7070) ([@diogoteles08](https://togithub.com/diogoteles08)) - Bump systeminformation from 5.17.12 to 5.21.8 in /ui-tests [#7064](https://togithub.com/jupyter/notebook/pull/7064) ([@dependabot](https://togithub.com/dependabot)) ##### Documentation improvements - Improve docs setup (SVG logos, repo links) [#7074](https://togithub.com/jupyter/notebook/pull/7074) ([@krassowski](https://togithub.com/krassowski)) ##### Contributors to this release ([GitHub contributors page for this release](https://togithub.com/jupyter/notebook/graphs/contributors?from=2023-09-20\&to=2023-10-12\&type=c)) [@dependabot](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Adependabot+updated%3A2023-09-20..2023-10-12\&type=Issues) | [@diogoteles08](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Adiogoteles08+updated%3A2023-09-20..2023-10-12\&type=Issues) | [@github-actions](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Agithub-actions+updated%3A2023-09-20..2023-10-12\&type=Issues) | [@jtpio](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajtpio+updated%3A2023-09-20..2023-10-12\&type=Issues) | [@krassowski](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Akrassowski+updated%3A2023-09-20..2023-10-12\&type=Issues) | [@pre-commit-ci](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Apre-commit-ci+updated%3A2023-09-20..2023-10-12\&type=Issues) ### [`v7.0.4`](https://togithub.com/jupyter/notebook/blob/HEAD/CHANGELOG.md#704) [Compare Source](https://togithub.com/jupyter/notebook/compare/v7.0.3...v7.0.4) ([Full Changelog](https://togithub.com/jupyter/notebook/compare/@jupyter-notebook/app@7.0.3...0e62386fc71ed4bd424c989f9d5493ca346f1d9a)) ##### Enhancements made - Update to JupyterLab 4.0.6 [#7049](https://togithub.com/jupyter/notebook/pull/7049) ([@jtpio](https://togithub.com/jtpio)) ##### Bugs fixed - Fix `app_version` [#7061](https://togithub.com/jupyter/notebook/pull/7061) ([@jtpio](https://togithub.com/jtpio)) - fix trusted status indication [#7036](https://togithub.com/jupyter/notebook/pull/7036) ([@adigaboy](https://togithub.com/adigaboy)) ##### Maintenance and upkeep improvements - Update Binder environment [#7059](https://togithub.com/jupyter/notebook/pull/7059) ([@jtpio](https://togithub.com/jtpio)) - Add `deduplicate` top-level script [#7058](https://togithub.com/jupyter/notebook/pull/7058) ([@jtpio](https://togithub.com/jtpio)) - Move opening path in new browser tabs to a separate plugin [#7056](https://togithub.com/jupyter/notebook/pull/7056) ([@jtpio](https://togithub.com/jtpio)) - Enable the Playwright trace [#7050](https://togithub.com/jupyter/notebook/pull/7050) ([@jtpio](https://togithub.com/jtpio)) - Bump actions/checkout from 3 to 4 [#7040](https://togithub.com/jupyter/notebook/pull/7040) ([@dependabot](https://togithub.com/dependabot)) - Adopt sp-repo-review [#7039](https://togithub.com/jupyter/notebook/pull/7039) ([@blink1073](https://togithub.com/blink1073)) - Add `datetime.datetime.utc()` to the filter list [#7037](https://togithub.com/jupyter/notebook/pull/7037) ([@jtpio](https://togithub.com/jtpio)) - Fix docs build on Gitpod [#7026](https://togithub.com/jupyter/notebook/pull/7026) ([@jtpio](https://togithub.com/jtpio)) ##### Contributors to this release ([GitHub contributors page for this release](https://togithub.com/jupyter/notebook/graphs/contributors?from=2023-08-30\&to=2023-09-20\&type=c)) [@adigaboy](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Aadigaboy+updated%3A2023-08-30..2023-09-20\&type=Issues) | [@blink1073](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ablink1073+updated%3A2023-08-30..2023-09-20\&type=Issues) | [@dependabot](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Adependabot+updated%3A2023-08-30..2023-09-20\&type=Issues) | [@github-actions](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Agithub-actions+updated%3A2023-08-30..2023-09-20\&type=Issues) | [@jtpio](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Ajtpio+updated%3A2023-08-30..2023-09-20\&type=Issues) | [@pre-commit-ci](https://togithub.com/search?q=repo%3Ajupyter%2Fnotebook+involves%3Apre-commit-ci+updated%3A2023-08-30..2023-09-20\&type=Issues)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.