GHSA-9q39-rmj3-p4r2 — HTML injection in Jupyter Notebook and JupyterLab leading

Details

### Impact

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.

### Patches

JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 were patched.

### Workarounds

There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are: - `@jupyterlab/mathjax-extension:plugin` - users will loose ability to preview mathematical equations - `@jupyterlab/markdownviewer-extension:plugin` - users will loose ability to open Markdown previews - `@jupyterlab/mathjax2-extension:plugin` (if installed with optional `jupyterlab-mathjax2` package) - an older version of the mathjax plugin for JupyterLab 4.x

To disable these extensions run:

```bash jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin jupyter labextension disable @jupyterlab/mathjax-extension:plugin jupyter labextension disable @jupyterlab/mathjax2-extension:plugin ```

To confirm that the plugins were disabled run:

```bash jupyter labextension list ```

### References

None

### Notes

This change has a potential to break rendering of some markdown. There is a setting in Sanitizer which allows to revert to the previous sanitizer settings (`allowNamedProperties`).

Affected packages

PyPI / jupyterlab

Introduced in: 0 Fixed in: 3.6.8

Fix pip install --upgrade 'jupyterlab>=3.6.8'

PyPI / notebook

Introduced in: 7.0.0 Fixed in: 7.2.2

Fix pip install --upgrade 'notebook>=7.2.2'

PyPI / jupyterlab

Introduced in: 4.0.0 Fixed in: 4.2.5

Fix pip install --upgrade 'jupyterlab>=4.2.5'

Details

Are you affected?

Affected packages

References