CVE-2014-3429: Code Injection
First published: Tue Jul 15 2014(Updated: )
IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/ipython | >=0.12<1.2.0 | 1.2.0 |
| redhat/ipython | <2.0.0 | 2.0.0 |
| openSUSE openSUSE | =13.1 | |
| openSUSE openSUSE | =13.2 | |
| Ipython Ipython Notebook | =0.12 | |
| Ipython Ipython Notebook | =0.12.1 | |
| Ipython Ipython Notebook | =0.13 | |
| Ipython Ipython Notebook | =0.13.1 | |
| Ipython Ipython Notebook | =0.13.2 | |
| Ipython Ipython Notebook | =1.0.0 | |
| Ipython Ipython Notebook | =1.1.0 | |
| Mageia Mageia | =3.0 | |
| Mageia Mageia | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://openwall.com/lists/oss-security/2014/07/15/2
- http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
- https://github.com/ipython/ipython/pull/4845
- http://ipython.org/ipython-doc/stable/whatsnew/github-stats-2.0.html
- http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1119891
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1119892
- https://admin.fedoraproject.org/updates/ipython-0.13.2-4.fc20
- https://bugzilla.redhat.com/show_bug.cgi?id=1119890
- https://nvd.nist.gov/vuln/detail/CVE-2014-3429
- https://exchange.xforce.ibmcloud.com/vulnerabilities/94497
- http://advisories.mageia.org/MGASA-2014-0320.html
- http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html
- http://seclists.org/oss-sec/2014/q3/152
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:160
- https://github.com/ipython/ipython/commit/e5b669ce4750d628dba383fd637dbde918ea15f5
- https://github.com/mattvonrocketstein/ipython/commit/dd4135db9f42d196a46553310a8e63ff5658671d
- https://github.com/advisories/GHSA-75cw-5cgv-g853 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2014-21.yaml
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-3429
- agent/software-canonical-lookup
- agent/description
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-75cw-5cgv-g853
- agent/severity
- agent/last-modified-date
- agent/references
- agent/tags
- collector/github-advisory
- agent/trending
- package-manager/redhat
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/13.1
- version/opensuse opensuse/13.2
- vendor/ipython
- canonical/ipython ipython notebook
- version/ipython ipython notebook/0.12
- version/ipython ipython notebook/0.12.1
- version/ipython ipython notebook/0.13
- version/ipython ipython notebook/0.13.1
- version/ipython ipython notebook/0.13.2
- version/ipython ipython notebook/1.0.0
- version/ipython ipython notebook/1.1.0
- vendor/mageia
- canonical/mageia mageia
- version/mageia mageia/3.0
- version/mageia mageia/4.0
- package-manager/pip