Bugzilla – Bug 939064
VUL-0: CVE-2015-5607: iptyhon: cross-site request forgery in get_origin()
Last modified: 2017-08-09 22:41:13 UTC
From: Kyle Kelley Patches: 2.x: https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 3.x: https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816 Affected versions: 0.12 ≤ version ≤ 3.2.0 Summary: POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython cookies along with the requests. The response is blocked by the Same-Origin Policy, but the request isn't. API paths with issues: * POST /api/contents/<path>/<file> * POST /api/contents/<path>/<file>/checkpoints * POST /api/contents/<path>/<file>/checkpoints/<checkpoint_id> * POST /api/kernels * POST /api/kernels/<kernel_id>/<action> * POST /api/sessions * POST /api/clusters/<cluster_id>/<action> References: https://bugzilla.redhat.com/show_bug.cgi?id=1243842 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5607 http://seclists.org/oss-sec/2015/q3/157 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5607
bugbot adjusting priority
not maintained in SLES anymore, fixed in openSUSE