CVE-2024-39700 — Code Injection in Extension-template

CWE-94 — Code Injection2 documents2 sources

Severity

9.8CRITICALNVD

CNA9.9

EPSS

3.9%

top 11.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jupyterlab Extension-template Jupyter Jupyterlab

Timeline

PublishedJul 16

Description

JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to `update-integration-tests.yml`, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5jupyterlab/extension-template< 4.3.3

▶NVDjupyter/jupyterlab< 4.3.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action↗2024-07-16

▶