CVE-2018-8768 — Notebook vulnerability

10 documents8 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 69.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ipython Jupyter Notebook

Timeline

PublishedMar 18

Latest updateJun 30

Description

In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in the notebook context. Specifically, invalid HTML is 'fixed' by jQuery after sanitization, making it dangerous.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDjupyter/notebook< 5.4.1

▶PyPIjupyter/notebook< 5.4.1

▶Debianipython/ipython< 5.1.0-2+3

🔴Vulnerability Details

OSV

Jupyter Notebook file bypasses sanitization, executes JavaScript↗2018-07-12

▶

GHSA

Jupyter Notebook file bypasses sanitization, executes JavaScript↗2018-07-12

▶

OSV

CVE-2018-8768: In Jupyter Notebook before 5↗2018-03-18

▶

CVEList

CVE-2018-8768: In Jupyter Notebook before 5↗2018-03-18

▶

📋Vendor Advisories

Ubuntu

IPython vulnerability↗2021-03-15

▶

Debian

CVE-2018-8768: ipython - In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass ...↗2018

▶

📄Research Papers

arXiv

Threat Assessment in Machine Learning based Systems↗2022-06-30

▶

💬Community

Bugzilla

CVE-2018-8768 python-notebook: Input sanitization bypass allows for execution of JavaScript via crafted notebook file [fedora-all]↗2018-03-21

▶

Bugzilla

CVE-2018-8768 python-notebook: Input sanitization bypass allows for execution of JavaScript via crafted notebook file↗2018-03-21

▶