jupyter-dash
jupyter-dash copied to clipboard
plotly
Update dependency notebook to v6.4.12 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| notebook | ==6.0.3 -> ==6.4.12 |
GitHub Vulnerability Alerts
CVE-2020-26215
Impact
What kind of vulnerability is it? Who is impacted?
Open redirect vulnerability - a maliciously crafted link to a notebook server could redirect the browser to a different website.
All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet.
Patches
Has the problem been patched? What versions should users upgrade to?
Patched in notebook 6.1.5
References
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list [email protected].
Credit: zhuonan li of Alibaba Application Security Team
CVE-2021-32798
Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
5.7.11, 6.4.1
References
OWASP Page on Injection Prevention
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list [email protected].
Credit: Guillaume Jeanne from Google
Example:
A notebook with the following content in a cell and it would display an alert when opened for the first time in Notebook (in an untrusted state):
{ "cell_type": "code", "execution_count": 0, "metadata": {}, "outputs": [ { "data": { "text/html": [ "<select><iframe></select><img src=x: onerror=alert('xss')>\n"], "text/plain": [] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "" ] }
CVE-2021-32797
Impact
Untrusted notebook can execute code on load. This is a remote code execution, but requires user action to open a notebook.
Patches
Patched in the following versions: 3.1.4, 3.0.17, 2.3.2, 2.2.10, 1.2.21.
References
OWASP Page on Restricting Form Submissions
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list [email protected].
Credit: Guillaume Jeanne from Google
CVE-2022-24758
Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server.
Upgrade to notebook version 6.4.10
For more information
If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list [email protected].
Credit: @3coins for reporting. Thank you!
CVE-2022-29238
Impact
What kind of vulnerability is it? Who is impacted?
Authenticated requests to the notebook server with ContentsManager.allow_hidden = False only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.
Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. ~/.ssh while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed.
Patches
Has the problem been patched? What versions should users upgrade to?
notebook 6.4.12
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Do not run the notebook server in a directory with hidden files, use subdirectories
- Use a custom ContentsManager with additional checks for
self.is_hidden(path)prior to completing actions
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
- Open an issue in example link to repo
- Email us at example email address
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, click this checkbox.
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}