CVE-2014-3429

Opensuse < 1.2.0 - Code Injection

Title source: rule
STIX 2.1

Description

IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.

References (9)

Core 9
Core References
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/94497
Issue Tracking, Patch x_refsource_confirm
https://github.com/ipython/ipython/pull/4845
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1119890
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0320.html
Press/Media Coverage, Technical Description x_refsource_confirm
http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
Third Party Advisory, VDB Entry mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q3/152
Broken Link mailing-list x_refsource_mlist
http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
Broken Link vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:160

Scores

EPSS 0.0466
EPSS Percentile 90.6%

Details

CWE
CWE-94
Status published
Products (12)
ipython/ipython_notebook 0.12
ipython/ipython_notebook 0.12.1
ipython/ipython_notebook 0.13
ipython/ipython_notebook 0.13.1
ipython/ipython_notebook 0.13.2
ipython/ipython_notebook 1.0.0
ipython/ipython_notebook 1.1.0
mageia/mageia 3.0
mageia/mageia 4.0
opensuse/opensuse 13.1
... and 2 more
Published Aug 07, 2014
Tracked Since Feb 18, 2026