CVE-2014-3429 — Code Injection in Ipython

CWE-94 — Code Injection9 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

2.1%

top 15.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ipython Ipython Notebook Mageia +1 more

Timeline

PublishedAug 7

Latest updateMay 14

Description

IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages5 packages

▶NVDipython/ipython_notebook7 versions+6

▶PyPIipython/ipython0.12 — 1.2.0

▶Debianipython/ipython< 1.2.0~rc1-1+3

▶NVDmageia/mageia3.0, 4.0+1

▶NVDopensuse/opensuse13.1, 13.2+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

IPython Notebook vulnerable to improper validation of the origin of websocket requests↗2022-05-14

▶

GHSA

IPython Notebook vulnerable to improper validation of the origin of websocket requests↗2022-05-14

▶

OSV

CVE-2014-3429: IPython Notebook 0↗2014-08-07

▶

CVEList

CVE-2014-3429: IPython Notebook 0↗2014-08-07

▶

📋Vendor Advisories

Debian

CVE-2014-3429: ipython - IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of web...↗2014

▶

💬Community

Bugzilla

CVE-2014-3429 ipython: cross-domain websocket hijacking vulnerability↗2014-07-15

▶

Bugzilla

CVE-2014-3429 ipython: cross-domain websocket hijacking vulnerability [fedora-all]↗2014-07-15

▶

Bugzilla

CVE-2014-3429 ipython: cross-domain websocket hijacking vulnerability [epel-6]↗2014-07-15

▶