CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
20.6%
The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.
A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.
JupyterLab v4.0.11 was patched.
Users can either disable the table of contents extension by running:
jupyter labextension disable @jupyterlab/toc-extension:registry
Vulnerability reported via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
Vendor | Product | Version | CPE |
---|---|---|---|
* | notebook | * | cpe:2.3:a:*:notebook:*:*:*:*:*:*:*:* |
jupyterlab | jupyterlab | * | cpe:2.3:a:jupyterlab:jupyterlab:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-4m77-cmpx-vjc4
github.com/jupyterlab/jupyterlab/commit/dda0033cd49449572d077bbecd33b18d8d05f48a
github.com/jupyterlab/jupyterlab/commit/e1b3aabab603878e46add445a3114e838411d2df
github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4
lists.fedoraproject.org/archives/list/[email protected]/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/
nvd.nist.gov/vuln/detail/CVE-2024-22420
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
20.6%