{"id":"MGASA-2022-0323","summary":"Updated jupyter-notebook packages fix security vulnerability","details":"It was discovered that Jupyter Notebook incorrectly handled certain\nnotebooks. An attacker could possibly use this issue of lack of Content\nSecurity Policy in Nbconvert to perform cross-site scripting (XSS) attacks\non the notebook server. (CVE-2018-19351)\n\nIt was discovered that Jupyter Notebook incorrectly handled certain SVG\ndocuments. An attacker could possibly use this issue to perform cross-site\nscripting (XSS) attacks. (CVE-2018-21030)\n\nIt was discovered that Jupyter Notebook incorrectly filtered certain URLs\non the login page. An attacker could possibly use this issue to perform\nopen-redirect attack. (CVE-2019-10255)\n\nIt was discovered that Jupyter Notebook had an incomplete fix for\nCVE-2019-10255. An attacker could possibly use this issue to perform\nopen-redirect attack using empty netloc. (CVE-2019-10856)\n\nIt was discovered that Jupyter Notebook incorrectly handled the inclusion\nof remote pages on Jupyter server. An attacker could possibly use this\nissue to perform cross-site script inclusion (XSSI) attacks.\n(CVE-2019-9644)\n\nIt was discovered that Jupyter Notebook incorrectly filtered certain URLs\nto a notebook. An attacker could possibly use this issue to perform\nopen-redirect attack. (CVE-2020-26215)\n\nIt was discovered that Jupyter Notebook server access logs were not\nprotected. An attacker having access to the notebook server could possibly\nuse this issue to get access to steal sensitive information such as\nauth/cookies. (CVE-2022-24758)\n\nIt was discovered that Jupyter Notebook incorrectly configured hidden\nfiles on the server. An authenticated attacker could possibly use this\nissue to see unwanted sensitive hidden files from the server which may\nresult in getting full access to the server. (CVE-2022-29238)\n\nMoment.js: Path traversal  in moment.locale (CVE-2022-24785)\n\nmoment: inefficient parsing algorithim resulting in DoS (CVE-2022-31129)\n","modified":"2026-04-16T00:11:46.353460735Z","published":"2022-09-10T20:26:43Z","upstream":["CVE-2018-19351","CVE-2018-21030","CVE-2019-10255","CVE-2019-10856","CVE-2019-9644","CVE-2020-26215","CVE-2022-24758","CVE-2022-24785","CVE-2022-29238","CVE-2022-31129"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0323.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30789"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30664"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5585-1"},{"type":"ADVISORY","url":"https://github.com/jupyter/notebook/security/advisories/GHSA-m87f-39q9-6f55"},{"type":"ADVISORY","url":"https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/"}],"affected":[{"package":{"name":"jupyter-notebook","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/jupyter-notebook?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.4.12-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0323.json"}},{"package":{"name":"python-send2trash","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-send2trash?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0323.json"}},{"package":{"name":"python-nest-asyncio","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/python-nest-asyncio?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.5-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0323.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}