CVE-2024-28233: Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing
Affected configurations:
- Single-origin JupyterHub deployments
- JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server.
By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former’s session. More precisely, in the context of JupyterHub, this XSS could achieve the following:
- Full access to JupyterHub API and user’s single-user server, e.g.
- Create and exfiltrate an API Token
- Exfiltrate all files hosted on the user’s single-user server: notebooks, images, etc.
- Install malicious extensions. They can be used as a backdoor to silently regain access to victim’s session anytime.
References
Code Behaviors & Features
Detect and mitigate CVE-2024-28233 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →