CVE-2024-43805: HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering
The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.
A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.
References
- github.com/advisories/GHSA-9q39-rmj3-p4r2
- github.com/jupyterlab/jupyterlab
- github.com/jupyterlab/jupyterlab/commit/06ad9de836f155add7d3d651ef936cc4c5ea8093
- github.com/jupyterlab/jupyterlab/commit/88e24baac551196f9cb3de16bd060a7ab1597674
- github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2
- nvd.nist.gov/vuln/detail/CVE-2024-43805
Code Behaviors & Features
Detect and mitigate CVE-2024-43805 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →