CVE-2019-9644
Publication date 12 March 2019
Last updated 24 July 2024
Ubuntu priority
An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| jupyter-notebook | 22.04 LTS jammy |
Not affected
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Fixed 5.2.2-1ubuntu0.1
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.4 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-5585-1
- Jupyter Notebook vulnerabilities
- 30 August 2022
Other references
- https://github.com/jupyter/notebook/commit/cfc335b76466ccf1538ce545b654b29b5ab0097c
- https://github.com/jupyter/notebook/commit/b5105814fc41c6d789b317fa59f786bad7f9d798
- https://github.com/jupyter/notebook/commit/bfaa61385729ed4fb453863053f9a79141f01119
- https://github.com/jupyter/notebook/compare/f3f00df...05aa4b2
- https://www.cve.org/CVERecord?id=CVE-2019-9644