CVE-2024-22420: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

January 19, 2024

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab version 4.0.11 has been patched. Users are advised to upgrade. Users unable to upgrade should disable the table of contents extension.

References

github.com/advisories/GHSA-4m77-cmpx-vjc4
github.com/jupyterlab/jupyterlab/commit/dda0033cd49449572d077bbecd33b18d8d05f48a
github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4

Detect and mitigate CVE-2024-22420 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →