Two security issues have been found and fixed this week, where untrusted javascript could be executed if malicious files could be delivered to the users system and the user takes specific actions with those malicious files.
The first allowed nbconvert endpoints (such as Print Preview) to render untrusted HTML and javascript with access to the notebook server. This is fixed in notebook 5.7.1. All notebook versions prior to 5.7.1 are affected. Thanks to Jonathan Kamens of Quantopian for reporting. This issue has been assigned CVE-2018–19351.
The second issue allowed maliciously crafted directory names to execute javascript when opened in the tree view. This is fixed in notebook 5.7.2. All versions of notebook from 5.3.0 to 5.7.1 are affected. Thanks to Marvin Solano Quesada for reporting. This issue has been assigned CVE-2018–19352.
You can check your version of the notebook package by issuing the following command:
jupyter notebook --version
Whether you are using classic notebook, JupyterLab or any other notebook server extensions, we recommend that you update the notebook package with :
pip install --upgrade notebook
or if you are using conda-forge
conda upgrade notebook
Thanks especially to Jonathan and Marvin for reporting these issues! If you find a security issue in a Jupyter project, please report it to security@ipython.org.
Jupyter Notebook security fixes was originally published in Jupyter Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.