CVE-2021-32797

Published: Aug 9, 2021

Modified: Aug 3, 2024

PUBLISHED

CVSS v3.1

7.4

HIGH

Description

JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook. In affected versions untrusted notebook can execute code on load. In particular JupyterLab doesn’t sanitize the action attribute of html `<form>`. Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook.

Vendor	Product	Versions
jupyterlab	jupyterlab	affected `>= 3.1.0, < 3.1.4` affected `>= 3.0.0, < 3.0.17` affected `>= 2.3.0, < 2.3.2` affected `>= 2.0.0, < 2.2.10` affected `< 1.2.1`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx

x_refsource_CONFIRM

https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-32797

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References