Detections
Analytics

FreeBSD : Jupyter notebook -- cross-site inclusion (XSSI) vulnerability (72a6e3be-483a-11e9-92d7-f1590402501e)

high Nessus Plugin ID 122885

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Jupyter notebook Changelog :

5.7.6 contains a security fix for a cross-site inclusion (XSSI) vulnerability, where files at a known URL could be included in a page from an unauthorized website if the user is logged into a Jupyter server. The fix involves setting the X-Content-Type-Options: nosniff header, and applying CSRF checks previously on all non-GET API requests to GET requests to API endpoints and the /files/ endpoint.

The attacking page is able to access some contents of files when using Internet Explorer through script errors, but this has not been demonstrated with other browsers. A CVE has been requested for this vulnerability.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?1ee366c1

http://www.nessus.org/u?fc188a9c

http://www.nessus.org/u?e116cf63

http://www.nessus.org/u?39988fba

http://www.nessus.org/u?50d03d73

http://www.nessus.org/u?dc4b5e69

http://www.nessus.org/u?d52aebfd

http://www.nessus.org/u?819250a8

http://www.nessus.org/u?a9601f46

http://www.nessus.org/u?b0683f8f

http://www.nessus.org/u?2e61e95b

Plugin Details

Severity: High

ID: 122885

File Name: freebsd_pkg_72a6e3be483a11e992d7f1590402501e.nasl

Version: 1.1

Type: local

Published: 3/18/2019

Updated: 3/18/2019

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:py27-notebook, p-cpe:/a:freebsd:freebsd:py35-notebook, p-cpe:/a:freebsd:freebsd:py36-notebook, p-cpe:/a:freebsd:freebsd:py37-notebook, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 3/16/2019

Vulnerability Publication Date: 3/10/2019