usn-5585-1
Vulnerability from osv_ubuntu
Published
2022-08-30 09:26
Modified
2026-04-27 14:11
Summary
jupyter-notebook vulnerabilities
Details

It was discovered that Jupyter Notebook incorrectly handled certain notebooks. An attacker could possibly use this issue of lack of Content Security Policy in Nbconvert to perform cross-site scripting (XSS) attacks on the notebook server. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-19351)

It was discovered that Jupyter Notebook incorrectly handled certain SVG documents. An attacker could possibly use this issue to perform cross-site scripting (XSS) attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-21030)

It was discovered that Jupyter Notebook incorrectly filtered certain URLs on the login page. An attacker could possibly use this issue to perform open-redirect attack. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-10255)

It was discovered that Jupyter Notebook had an incomplete fix for CVE-2019-10255. An attacker could possibly use this issue to perform open-redirect attack using empty netloc. (CVE-2019-10856)

It was discovered that Jupyter Notebook incorrectly handled the inclusion of remote pages on Jupyter server. An attacker could possibly use this issue to perform cross-site script inclusion (XSSI) attacks. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-9644)

It was discovered that Jupyter Notebook incorrectly filtered certain URLs to a notebook. An attacker could possibly use this issue to perform open-redirect attack. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-26215)

It was discovered that Jupyter Notebook server access logs were not protected. An attacker having access to the notebook server could possibly use this issue to get access to steal sensitive information such as auth/cookies. (CVE-2022-24758)

It was discovered that Jupyter Notebook incorrectly configured hidden files on the server. An authenticated attacker could possibly use this issue to see unwanted sensitive hidden files from the server which may result in getting full access to the server. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-29238)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2018-19351",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2018-21030",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2019-9644",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2019-10255",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2019-10856",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2020-26215",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-24758",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:18.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "jupyter-notebook",
            "binary_version": "5.2.2-1ubuntu0.1"
          },
          {
            "binary_name": "python-notebook",
            "binary_version": "5.2.2-1ubuntu0.1"
          },
          {
            "binary_name": "python3-notebook",
            "binary_version": "5.2.2-1ubuntu0.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:18.04:LTS",
        "name": "jupyter-notebook",
        "purl": "pkg:deb/ubuntu/jupyter-notebook@5.2.2-1ubuntu0.1?arch=source\u0026distro=bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.2.2-1ubuntu0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.2.3-4",
        "5.1.0-2",
        "5.2.1-2",
        "5.2.2-1"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2019-10856",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2020-26215",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-24758",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-29238",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:20.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "jupyter-notebook",
            "binary_version": "6.0.3-2ubuntu0.1"
          },
          {
            "binary_name": "python3-notebook",
            "binary_version": "6.0.3-2ubuntu0.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:20.04:LTS",
        "name": "jupyter-notebook",
        "purl": "pkg:deb/ubuntu/jupyter-notebook@6.0.3-2ubuntu0.1?arch=source\u0026distro=focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.0.3-2ubuntu0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.7.8-1",
        "6.0.0-1",
        "6.0.0-2",
        "6.0.2-1",
        "6.0.3-1",
        "6.0.3-2"
      ]
    },
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2019-10856",
              "severity": [
                {
                  "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-24758",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-29238",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:22.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "jupyter-notebook",
            "binary_version": "6.4.8-1ubuntu0.1"
          },
          {
            "binary_name": "python3-notebook",
            "binary_version": "6.4.8-1ubuntu0.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "jupyter-notebook",
        "purl": "pkg:deb/ubuntu/jupyter-notebook@6.4.8-1ubuntu0.1?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.8-1ubuntu0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "6.2.0-1",
        "6.4.5-2",
        "6.4.5-3",
        "6.4.5-4",
        "6.4.8-1"
      ]
    }
  ],
  "aliases": [],
  "details": "It was discovered that Jupyter Notebook incorrectly handled certain notebooks.\nAn attacker could possibly use this issue of lack of Content Security Policy\nin Nbconvert to perform cross-site scripting (XSS) attacks on the notebook\nserver. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-19351)\n\nIt was discovered that Jupyter Notebook incorrectly handled certain SVG\ndocuments. An attacker could possibly use this issue to perform cross-site\nscripting (XSS) attacks. This issue only affected Ubuntu 18.04 LTS.\n(CVE-2018-21030)\n\nIt was discovered that Jupyter Notebook incorrectly filtered certain URLs on\nthe login page. An attacker could possibly use this issue to perform\nopen-redirect attack. This issue only affected Ubuntu 18.04 LTS.\n(CVE-2019-10255)\n\nIt was discovered that Jupyter Notebook had an incomplete fix for\nCVE-2019-10255. An attacker could possibly use this issue to perform\nopen-redirect attack using empty netloc. (CVE-2019-10856)\n\nIt was discovered that Jupyter Notebook incorrectly handled the inclusion of\nremote pages on Jupyter server. An attacker could possibly use this issue to\nperform cross-site script inclusion (XSSI) attacks. This issue only affected\nUbuntu 18.04 LTS. (CVE-2019-9644)\n\nIt was discovered that Jupyter Notebook incorrectly filtered certain URLs to a\nnotebook. An attacker could possibly use this issue to perform open-redirect\nattack. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.\n(CVE-2020-26215)\n\nIt was discovered that Jupyter Notebook server access logs were not protected.\nAn attacker having access to the notebook server could possibly use this issue\nto get access to steal sensitive information such as auth/cookies.\n(CVE-2022-24758)\n\nIt was discovered that Jupyter Notebook incorrectly configured hidden files on\nthe server. An authenticated attacker could possibly use this issue to see\nunwanted sensitive hidden files from the server which may result in getting\nfull access to the server. This issue only affected Ubuntu 20.04 LTS and\nUbuntu 22.04 LTS. (CVE-2022-29238)\n",
  "id": "USN-5585-1",
  "modified": "2026-04-27T14:11:28Z",
  "published": "2022-08-30T09:26:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-5585-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2018-19351"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2018-21030"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2019-9644"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2019-10255"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2019-10856"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2020-26215"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-24758"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-29238"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "jupyter-notebook vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2018-19351",
    "UBUNTU-CVE-2018-21030",
    "UBUNTU-CVE-2019-9644",
    "UBUNTU-CVE-2019-10255",
    "UBUNTU-CVE-2019-10856",
    "UBUNTU-CVE-2020-26215",
    "UBUNTU-CVE-2022-24758",
    "UBUNTU-CVE-2022-29238"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…