{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22420", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-10T15:09:55.554Z", "datePublished": "2024-01-19T20:49:09.933Z", "dateUpdated": "2025-02-13T17:33:44.398Z"}, "containers": {"cna": {"title": "Stored cross site scripting in Markdown Preview in JupyterLab", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4"}, {"name": "https://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df", "tags": ["x_refsource_MISC"], "url": "https://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/"}], "affected": [{"vendor": "jupyterlab", "product": "jupyterlab", "versions": [{"version": ">=4.0.0, < 4.0.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-02T02:06:21.087Z"}, "descriptions": [{"lang": "en", "value": "JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab version 4.0.11 has been patched. Users are advised to upgrade. Users unable to upgrade should disable the table of contents extension."}], "source": {"advisory": "GHSA-4m77-cmpx-vjc4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.935Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4"}, {"name": "https://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*", "matchCriteriaId": "98056E64-C6C4-498A-9C3F-67A7F4F11261", "versionEndExcluding": "4.0.11", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:jupyter:notebook:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF4CC1C2-B78B-466A-ACDE-4604DE69D4FD", "versionEndExcluding": "7.0.7", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab version 4.0.11 has been patched. Users are advised to upgrade. Users unable to upgrade should disable the table of contents extension."}, {"lang": "es", "value": "JupyterLab es un entorno extensible para inform\u00e1tica interactiva y reproducible, basado en Jupyter Notebook y Architecture. Esta vulnerabilidad depende de la interacci\u00f3n del usuario al abrir un archivo Markdown malicioso utilizando la funci\u00f3n de vista previa de JupyterLab. Un usuario malintencionado puede acceder a cualquier dato a los que tenga acceso el usuario atacado, as\u00ed como realizar solicitudes arbitrarias actuando como el usuario atacado. Se ha parcheado la versi\u00f3n 4.0.11 de JupyterLab. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben desactivar la extensi\u00f3n de la tabla de contenido."}], "id": "CVE-2024-22420", "lastModified": "2024-11-21T08:56:15.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-19T21:15:09.667", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}