PyPI: jupyterlab
CVE-2024-22420
Safety vulnerability ID: SFTY-20240119-55967
Safety legacy ID: pyup.io-64587
CVE-2024-22420 describes a vulnerability in JupyterLab, where user interaction with a malicious notebook or Markdown file enables an attacker to access and act with the same permissions as the user. The flaw lies in the table of contents plugin. JupyterLab v4.0.11 includes a patch for this issue. Users can manually disable the plugin as a workaround. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4
Overview
JupyterLab vulnerable to SXSS in Markdown Preview
Advisory
CVE-2024-22420 describes a vulnerability in JupyterLab, where user interaction with a malicious notebook or Markdown file enables an attacker to access and act with the same permissions as the user. The flaw lies in the table of contents plugin. JupyterLab v4.0.11 includes a patch for this issue. Users can manually disable the plugin as a workaround. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240119-55967/CVE-2024-22420
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22420
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4
- https://github.com/jupyterlab/jupyterlab/commit/dda0033cd49449572d077bbecd33b18d8d05f48a
- https://nvd.nist.gov/vuln/detail/CVE-2024-22420
- https://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/
- https://github.com/advisories/GHSA-4m77-cmpx-vjc4
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more