CVE-2019-9644Cross-site Scripting in Notebook

CWE-79Cross-site ScriptingCWE-284Improper Access ControlCWE-306Missing Authentication for Critical Function13 documents8 sources
Severity
5.4MEDIUMNVD
OSV6.1
EPSS
0.7%
top 26.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jupyter Notebook
Timeline
PublishedMar 12
Latest updateAug 29

Description

An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

NVDjupyter/notebook< 5.7.6
PyPIjupyter/notebook< 5.7.6

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

7
GHSA
cross-site inclusion (XSSI) of files in jupyter-server2023-08-29
OSV
cross-site inclusion (XSSI) of files in jupyter-server2023-08-29
OSV
jupyter-notebook vulnerabilities2022-08-30
GHSA
Improper Neutralization of Input During Web Page Generation in Jupyter Notebook2022-05-14
OSV
Improper Neutralization of Input During Web Page Generation in Jupyter Notebook2022-05-14

📋Vendor Advisories

2
Ubuntu
Jupyter Notebook vulnerabilities2022-08-30
Debian
CVE-2019-9644: jupyter-notebook - An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 al...2019

📄Research Papers

1
arXiv
Threat Assessment in Machine Learning based Systems2022-06-30

💬Community

2
Bugzilla
CVE-2019-9644 python-notebook: XSSI due to invalid javascript [fedora-all]2019-03-18
Bugzilla
CVE-2019-9644 python-notebook: XSSI due to invalid javascript2019-03-18
CVE-2019-9644 — Cross-site Scripting in Notebook | cvebase