Subject: [ASA-201812-1] jupyter-notebook: cross-site scripting Arch Linux Security Advisory ASA-201812-1 ========================================= Severity: Medium Date : 2018-12-06 CVE-ID : CVE-2018-19351 CVE-2018-19352 Package : jupyter-notebook Type : cross-site scripting Remote : No Link : https://security.archlinux.org/AVG-820 Summary ======= The package jupyter-notebook before version 5.7.2-1 is vulnerable to cross-site scripting. Resolution ========== Upgrade to 5.7.2-1. # pacman -Syu "jupyter-notebook>=5.7.2-1" The problems have been fixed upstream in version 5.7.2. Workaround ========== None. Description =========== - CVE-2018-19351 (cross-site scripting) A security issue has been found in Jupyter Notebook versions prior to 5.7.1, where untrusted javascript could be executed if malicious files could be delivered to the users system and the user takes specific actions with those malicious files. It allowed nbconvert endpoints (such as Print Preview) to render untrusted HTML and javascript with access to the notebook server. - CVE-2018-19352 (cross-site scripting) A security issue has been found in Jupyter Notebook versions prior to 5.7.2, where untrusted javascript could be executed if malicious files could be delivered to the users system and the user takes specific actions with those malicious files. It allowed maliciously crafted directory names to execute javascript when opened in the tree view. Impact ====== A remote attacker is able to execute javascript and create html content by tricking users into opening and interacting with maliciously crafted notebook files. References ========== https://bugs.archlinux.org/task/60910 https://blog.jupyter.org/jupyter-notebook-security-fixes-59817e86a711 https://blog.jupyter.org/security-fix-for-jupyter-notebook-450f272b6932?gi=dbc3ae28c796 https://security.archlinux.org/CVE-2018-19351 https://security.archlinux.org/CVE-2018-19352