We have just released Jupyter notebook 5.7.6 with a security fix for a cross-site inclusion (XSSI) vulnerability, where content from a Jupyter server could be included in another page if the visitor is logged in to the Jupyter server and the author of the page knows the URL of the server and the path within the server’s notebook directory that they would like to include. Further, it has been demonstrated with the Internet Explorer browser that some content from the accessed file can be retrieved by the attacking page. This has not yet been demonstrated with other browsers, however.
To upgrade:
pip install --upgrade 'notebook>=5.7.6'
or conda:
conda install 'notebook>=5.7.6'
This vulnerability was reported by the HackerOne hacker Abhishek Bundela, via Jonathan Kamens at Quantopian. The patch was developed by Min Ragan-Kelley with help from Devdatta Akhawe. Jupyter is grateful to Quantopian’s bug bounty program, which has found and reported this and other security flaws in Jupyter.
This vulnerability has been assigned CVE-2019–9644.
Jupyter notebook XSSI security fix was originally published in Jupyter Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.