Bugzilla – Bug 935908
VUL-0: CVE-2015-4706 CVE-2015-4707: IPython,python3-IPython: XSS in JSON error responses
Last modified: 2017-07-11 13:46:06 UTC
CVE-2015-4707 From: Kyle Kelley <rgbkrk () gmail com> Date: Mon, 22 Jun 2015 08:16:03 -0500 Email addresses of requester: security () ipython org; rgbkrk () gmail com; khanam () us ibm com Software name: IPython notebook Type of vulnerability: XSS Attack outcome: Remote execution Patch/issue: * Current 3.x release https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce * Minor backport to 2.x https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c Affected versions: 2.0 ≤ version ≤ 2.4.1, 3.0 ≤ version ≤ 3.1 Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects users on Mozilla Firefox but not Chromium/Google Chrome. API paths with issues: * /api/contents (3.0-3.1) * /api/notebooks (2.0-2.4, 3.0-3.1) Mitigations: Upgrade to IPython 3.2. If using pip, pip install --upgrade ipython[notebook] For conda: conda update conda conda update ipython ipython-notebook If you can't upgrade directly, * Set the content security policy for the API headers of the notebook to include `default-src 'none'` ( https://ipython.org/ipython-doc/3/whatsnew/version3.html#content-security-policy ) * Set the content type on API handlers to application/json Vulnerability was found by Ahmad Khan, Security Engineer at IBM. http://seclists.org/oss-sec/2015/q2/782 -------------------------------------------------------------------------- Followup from Mitre: https://github.com/ipython/ipython/commit/7222bd53ad089a65fd610fab4626f9d0ab47dfce https://github.com/ipython/ipython/commit/c2078a53543ed502efd968649fee1125e0eb549c JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. (We wanted to have two CVE IDs because of the following difference in how 2.x and 3.x are affected. We realize that this is perhaps a marginal case for that, because the 3.x code is essentially just: self.log.warn("/api/notebooks is deprecated, use /api/contents") self.redirect(url_path_join( self.base_url, 'api/contents', ) /api/contents (3.0-3.1) Use CVE-2015-4706 for the /api/contents path. /api/notebooks (2.0-2.4, 3.0-3.1) Use CVE-2015-4707 for the /api/notebooks path.
SLE11 has IPython 0.8.4, which does not have html code - not affected. SLE12 has IPython 1.1.0. It does have html code. But it does not seem to have the traceback output that is patched in above patches. So it seems not affected. openSUSE 13.1: IPython 1.0.0 openSUSE 13.2: python3-IPython 2.2.0 IPython 2.2.0 openSUSE Factory IPython 3.0.0 python3-IPython 3.1.0 => fixes only needed for openSUSE.
bugbot adjusting priority
Leap version is safe