[IPython-dev] Vulnerability in IPython Notebook ≤ 1.1
Julian Taylor
jtaylor.debian at googlemail.com
Wed Jul 16 14:19:24 EDT 2014
Why wasn't this disclosed on the appropriate channels 6 month ago when
it was fixed?
It didn't even get a proper changelog entry nor did distribution
maintainers get informed at all.
Remote execution on localhost notebooks is really really bad, even if
you do need the kernel id.
This should have been posted to oss-security at the latest when 1.2.0
was released ...
On 14.07.2014 17:20, Kyle Kelley wrote:
> Whoops!
>
> Correction, CVE ID was truncated. It should read:
>
> The CVE ID is CVE-2014-3429
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3429).
>
>
>
> On Sun, Jul 13, 2014 at 3:56 PM, Kyle Kelley <rgbkrk at gmail.com
> <mailto:rgbkrk at gmail.com>> wrote:
>
> Everyone,
>
> On IPython ≤ 1.1, a remote site could have exploited a vulnerability
> in cross origin websocket handling to execute code on an IPython
> kernel, with knowledge of the kernel id (which requires user
> intervention).
>
> This vulnerability was patched
> in https://github.com/ipython/ipython/pull/4845 and reported to the
> CVE (Common Vulnerabilities and Exposure) database.
>
> Summary given to the CVE database: The origin of websocket requests
> was not verified within the IPython notebook server. If an attacker
> has knowledge of an IPython kernel id they can run arbitrary code on
> a user's machine when the client visits a crafted malicious page.
>
> The CVE ID is CVE-2014-342
> (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-342).
>
> If you were at SciPy and watched the final round of lightning talks,
> you already know about this vulnerability (as much as you can within
> a 5 minute talk that is).
>
> I wrote a more detailed explanation
> at http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
>
> Feel free to ask us (the IPython team) any questions!
>
> Regards,
>
> Kyle Kelley
>
>
>
>
> _______________________________________________
> IPython-dev mailing list
> IPython-dev at scipy.org
> http://mail.scipy.org/mailman/listinfo/ipython-dev
>
More information about the IPython-dev
mailing list