CVE-2021-32798 – Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in notebook
https://notcve.org/view.php?id=CVE-2021-32798
The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to execute arbitrary code on the victim computer using Jupyter APIs. • https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5 https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-32797 – JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>
https://notcve.org/view.php?id=CVE-2021-32797
JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html `<form>`. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. • https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-36191
https://notcve.org/view.php?id=CVE-2020-36191
JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account). JupyterHub versión 1.1.0, permite un ataque de tipo CSRF en el panel de administración por medio de una petición que carece de un campo _xsrf, como es demostrado por una petición /hub/api/user (para agregar o eliminar una cuenta de usuario). • https://github.com/jupyterhub/jupyterhub/issues/3304 https://github.com/jupyterhub/jupyterhub/releases • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-26275 – Open redirect vulnerability
https://notcve.org/view.php?id=CVE-2020-26275
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. In Jupyter Server before version 1.1.1, an open redirect vulnerability could cause the jupyter server to redirect the browser to a different malicious website. All jupyter servers running without a base_url prefix are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may *appear* safe, but ultimately redirect to a spoofed server on the public internet. This same vulnerability was patched in upstream notebook v5.7.8. • https://advisory.checkmarx.net/advisory/CX-2020-4291 https://github.com/jupyter-server/jupyter_server/commit/85e4abccf6ea9321d29153f73b0bd72ccb3a6bca https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-9f66-54xg-pc2c https://pypi.org/project/jupyter-server • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2020-26250 – Base class whitelist configuration ignored in OAuthenticator
https://notcve.org/view.php?id=CVE-2020-26250
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected. All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the `admin.whitelist.users` configuration in the jupyterhub helm chart or the `c.Authenticator.whitelist` configuration directly. • https://github.com/jupyterhub/oauthenticator/blob/master/docs/source/changelog.md#0122---2020-11-30 https://github.com/jupyterhub/oauthenticator/commit/a4aac191c16cf6281f3d346615aefa75702b02d7 https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-384w-5v3f-q499 https://jupyterhub.readthedocs.io/en/1.2.2/getting-started/authenticators-users-basics.html#add-or-remove-users-from-the-hub • CWE-863: Incorrect Authorization •