PyPI: jupyterlab
CVE-2021-32797
Safety vulnerability ID: SFTY-20210809-44092
Safety legacy ID: pyup.io-41707
Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed
Overview
JupyterLab: XSS due to lack of sanitization of the action attribute of an html <form>
Advisory
Jupyterlab versions 3.1.4, 3.0.17, 2.3.2, 2.2.10 and 1.2.21 include a fix for CVE-2021-32797: In affected versions, an untrusted notebook can execute code on load. In particular, jupyterlab doesn’t sanitize the action attribute of html "<form>". Using this it is possible to trigger the form validation outside of the form itself. This is a remote code execution, but requires user action to open a notebook. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20210809-44092/CVE-2021-32797
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32797
- https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx
- https://nvd.nist.gov/vuln/detail/CVE-2021-32797
- https://github.com/jupyterlab/jupyterlab/commit/504825938c0abfa2fb8ff8d529308830a5ae42ed
- https://github.com/google/security-research/security/advisories/GHSA-c469-p3jp-2vhx
- https://github.com/pypa/advisory-database/tree/main/vulns/jupyterlab/PYSEC-2021-130.yaml
- https://github.com/advisories/GHSA-4952-p58q-6crx
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more