Bug 1227583 (CVE-2021-32798)

Summary: VUL-0: CVE-2021-32798: python-notebook: The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to ...
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Python maintainers (group account) <python-maintainers>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/306081/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-09 14:35:59 UTC 
The Jupyter notebook is a web-based notebook environment for interactive
computing. In affected versions untrusted notebook can execute code on load.
Jupyter Notebook uses a deprecated version of Google Caja to sanitize user
inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a
malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to
execute arbitrary code on the victim computer using Jupyter APIs.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32798
https://www.cve.org/CVERecord?id=CVE-2021-32798
https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797
https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5
Comment 1 Marcus Meissner 2024-07-09 14:37:32 UTC 
openSUSE:Backports:SLE-15-SP5:Update/python-notebook
openSUSE:Backports:SLE-15-SP6:Update/python-notebook
Comment 2 Marcus Meissner 2024-07-09 14:37:54 UTC 
backports affected, SUSE:SLFO:Main and SUSE:ALP:Source:Standard:1.0 and Factory are ok