CVE-2024-43805: HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering
First published: Wed Aug 28 2024(Updated: )
### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. ### Patches JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 were patched. ### Workarounds There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are: - `@jupyterlab/mathjax-extension:plugin` - users will loose ability to preview mathematical equations - `@jupyterlab/markdownviewer-extension:plugin` - users will loose ability to open Markdown previews - `@jupyterlab/mathjax2-extension:plugin` (if installed with optional `jupyterlab-mathjax2` package) - an older version of the mathjax plugin for JupyterLab 4.x To disable these extensions run: ```bash jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin jupyter labextension disable @jupyterlab/mathjax-extension:plugin jupyter labextension disable @jupyterlab/mathjax2-extension:plugin ``` To confirm that the plugins were disabled run: ```bash jupyter labextension list ``` ### References None ### Notes This change has a potential to break rendering of some markdown. There is a setting in Sanitizer which allows to revert to the previous sanitizer settings (`allowNamedProperties`).
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/jupyterlab | >=4.0.0<=4.2.4 | 4.2.5 |
| pip/notebook | >=7.0.0<=7.2.1 | 7.2.2 |
| pip/jupyterlab | <=3.6.7 | 3.6.8 |
| Jupyter Jupyterlab | <3.6.8 | |
| Jupyter Jupyterlab | >=4.0.0<4.2.5 | |
| Jupyter Notebook | >=7.0.0<7.2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2
- https://nvd.nist.gov/vuln/detail/CVE-2024-43805
- https://github.com/jupyterlab/jupyterlab/commit/06ad9de836f155add7d3d651ef936cc4c5ea8093
- https://github.com/jupyterlab/jupyterlab/commit/88e24baac551196f9cb3de16bd060a7ab1597674
- https://github.com/advisories/GHSA-9q39-rmj3-p4r2 (Advisory)
- agent/weakness
- agent/title
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-9q39-rmj3-p4r2
- alias/CVE-2024-43805
- agent/software-canonical-lookup
- agent/references
- agent/description
- agent/author
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- agent/event
- collector/github-advisory
- agent/tags
- agent/trending
- package-manager/pip
- vendor/jupyter
- canonical/jupyter jupyterlab
- version/jupyter jupyterlab/4.0.0
- canonical/jupyter notebook
- version/jupyter notebook/7.0.0