Description
IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.
References (9)
Core 9
Core References
Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/94497
Issue Tracking, Patch x_refsource_confirm
https://github.com/ipython/ipython/pull/4845
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1119890
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0320.html
Press/Media Coverage, Technical Description x_refsource_confirm
http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
Third Party Advisory, VDB Entry mailing-list
x_refsource_mlist
http://seclists.org/oss-sec/2014/q3/152
Broken Link mailing-list
x_refsource_mlist
http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
Broken Link vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:160
Scores
EPSS
0.0466
EPSS Percentile
90.6%
Details
CWE
CWE-94
Status
published
Products (12)
ipython/ipython_notebook
0.12
ipython/ipython_notebook
0.12.1
ipython/ipython_notebook
0.13
ipython/ipython_notebook
0.13.1
ipython/ipython_notebook
0.13.2
ipython/ipython_notebook
1.0.0
ipython/ipython_notebook
1.1.0
mageia/mageia
3.0
mageia/mageia
4.0
opensuse/opensuse
13.1
... and 2 more
Published
Aug 07, 2014
Tracked Since
Feb 18, 2026