Back

CVE-2024-39700

July 16, 2024, 6:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

JupyterLab extension template

  • up to 4.2.9

Source

security-advisories@github.com

Tags

security-advisories@github.com
CWE-94
2024-07-16
CVE-2024-39700

CVE-2024-39700 details

Published : July 16, 2024, 6:15 p.m.
Last Modified : July 16, 2024, 6:15 p.m.

Description

JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to `update-integration-tests.yml`, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions while working on the upgrade. We recommend rebasing all open pull requests from untrusted users as actions may run using the version from the `main` branch at the time when the pull request was created. Users who are upgrading from template version prior to 4.3.0 may wish to leave out proposed changes to the release workflow for now as it requires additional configuration.

CVSS Score

1 2 3 4 5 6 7 8 9.9 10

Weakness

Weakness Name Description
CWE-94 Improper Control of Generation of Code ('Code Injection') The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

9.9

Exploitability Score

3.1

Impact Score

6.0

Base Severity

CRITICAL

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

URL Source
https://github.com/jupyterlab/extension-template/commit/035e78c1c65bcedee97c95bb683abe59c96bc4e6 security-advisories@github.com
https://github.com/jupyterlab/extension-template/security/advisories/GHSA-45gq-v5wm-82wg security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.