CVE-2024-22420

Advisory

CVE-2024-22420 describes a vulnerability in Jupyter Notebook, where user interaction with a malicious notebook or Markdown file enables an attacker to access and act with the same permissions as the user. The flaw lies in the table of contents plugin. Jupyter Notebook v7.0.7 includes a patch for this issue. Users can manually disable the plugin as a workaround.
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4

Affected package

Affected versions

Fixed versions

Vulnerability changelog

([Full Changelog](https://github.com/jupyterlab/jupyterlab/compare/v4.1.0b1...43a4e70bfba19b0de21e17409477a91708964792))

Security fixes
- Potential authentication and CSRF tokens leak in JupyterLab ([GHSA-44cc-43rp-5947](https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947))
- SXSS in Markdown Preview ([GHSA-4m77-cmpx-vjc4](https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4m77-cmpx-vjc4))

Documentation improvements

- User-facing changelog for 4.1 [15648](https://github.com/jupyterlab/jupyterlab/pull/15648) ([krassowski](https://github.com/krassowski))

Contributors to this release

([GitHub contributors page for this release](https://github.com/jupyterlab/jupyterlab/graphs/contributors?from=2024-01-17&to=2024-01-19&type=c))

[github-actions](https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Agithub-actions+updated%3A2024-01-17..2024-01-19&type=Issues) | [jupyterlab-probot](https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Ajupyterlab-probot+updated%3A2024-01-17..2024-01-19&type=Issues) | [krassowski](https://github.com/search?q=repo%3Ajupyterlab%2Fjupyterlab+involves%3Akrassowski+updated%3A2024-01-17..2024-01-19&type=Issues)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22420