CVE-2014-3429

critical

Description

IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.

References

https://github.com/ipython/ipython/pull/4845

https://exchange.xforce.ibmcloud.com/vulnerabilities/94497

https://bugzilla.redhat.com/show_bug.cgi?id=1119890

http://seclists.org/oss-sec/2014/q3/152

http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html

http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython

http://advisories.mageia.org/MGASA-2014-0320.html

Details

Source: Mitre, NVD

Published: 2014-08-07

Updated: 2018-10-30

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

Detections

Analytics