Candidate: CVE-2019-9644
PublicDate: 2019-03-12 09:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9644
 https://github.com/jupyter/notebook/commit/cfc335b76466ccf1538ce545b654b29b5ab0097c
 https://github.com/jupyter/notebook/commit/b5105814fc41c6d789b317fa59f786bad7f9d798
 https://github.com/jupyter/notebook/commit/bfaa61385729ed4fb453863053f9a79141f01119
 https://github.com/jupyter/notebook/compare/f3f00df...05aa4b2
Description:
 An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before
 5.7.6 allows inclusion of resources on malicious pages when visited by
 users who are authenticated with a Jupyter server. Access to the content of
 resources has been demonstrated with Internet Explorer through capturing of
 error messages, though not reproduced with other browsers. This occurs
 because Internet Explorer's error messages can include the content of any
 invalid JavaScript that was encountered.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924515
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N [5.4 MEDIUM]


Patches_jupyter-notebook:
upstream_jupyter-notebook: needs-triage
precise/esm_jupyter-notebook: DNE
trusty_jupyter-notebook: DNE
trusty/esm_jupyter-notebook: DNE
xenial_jupyter-notebook: DNE
bionic_jupyter-notebook: needs-triage
cosmic_jupyter-notebook: ignored (reached end-of-life)
disco_jupyter-notebook: ignored (reached end-of-life)
eoan_jupyter-notebook: not-affected (5.7.8-1)
focal_jupyter-notebook: not-affected (5.7.8-1)
groovy_jupyter-notebook: not-affected (5.7.8-1)
hirsute_jupyter-notebook: not-affected (5.7.8-1)
impish_jupyter-notebook: not-affected (5.7.8-1)
jammy_jupyter-notebook: not-affected (5.7.8-1)
devel_jupyter-notebook: not-affected (5.7.8-1)