1227583 – (CVE-2021-32798) VUL-0: CVE-2021-32798: python-notebook: The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to ...

Bug 1227583 (CVE-2021-32798) - VUL-0: CVE-2021-32798: python-notebook: The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to ...

Summary: VUL-0: CVE-2021-32798: python-notebook: The Jupyter notebook is a web-based n...

Status:	NEW

Alias:	CVE-2021-32798

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Critical
Target Milestone:	---
Assignee:	Python maintainers (group account)
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/306081/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-07-09 14:35 UTC by SMASH SMASH
Modified:	2024-07-09 15:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-07-09 14:35:59 UTC

The Jupyter notebook is a web-based notebook environment for interactive
computing. In affected versions untrusted notebook can execute code on load.
Jupyter Notebook uses a deprecated version of Google Caja to sanitize user
inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a
malicious ipynb document in Jupyter Notebook. The XSS allows an attacker to
execute arbitrary code on the victim computer using Jupyter APIs.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32798
https://www.cve.org/CVERecord?id=CVE-2021-32798
https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797
https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5

Comment 1 Marcus Meissner 2024-07-09 14:37:32 UTC

openSUSE:Backports:SLE-15-SP5:Update/python-notebook
openSUSE:Backports:SLE-15-SP6:Update/python-notebook

Comment 2 Marcus Meissner 2024-07-09 14:37:54 UTC

backports affected, SUSE:SLFO:Main and SUSE:ALP:Source:Standard:1.0 and Factory are ok