{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-43805","title":"Title"},{"category":"description","text":"jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. This vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 have been patched to resolve this issue. Users are advised to upgrade. There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax-extension:plugin` - users will loose ability to preview mathematical equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users will loose ability to open Markdown previews. 3. `@jupyterlab/mathjax2-extension:plugin` (if installed with optional `jupyterlab-mathjax2` package) - an older version of the mathjax plugin for JupyterLab 4.x. To disable these extensions run: ```jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin && jupyter labextension disable @jupyterlab/mathjax-extension:plugin && jupyter labextension disable @jupyterlab/mathjax2-extension:plugin ``` in bash.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-43805","url":"https://www.suse.com/security/cve/CVE-2024-43805"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1229914 for CVE-2024-43805","url":"https://bugzilla.suse.com/1229914"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:0352-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AHLZGQA6FMW5UIO6ZBRWSGIB2JGKCLPB/"}],"title":"SUSE CVE CVE-2024-43805","tracking":{"current_release_date":"2025-03-15T04:45:54Z","generator":{"date":"2024-08-30T10:05:03Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-43805","initial_release_date":"2024-08-30T10:05:03Z","revision_history":[{"date":"2024-08-30T10:05:03Z","number":"2","summary":"Current version"},{"date":"2024-11-07T03:53:53Z","number":"3","summary":"Current version"},{"date":"2025-01-01T00:47:38Z","number":"4","summary":"Current version"},{"date":"2025-01-04T00:48:54Z","number":"5","summary":"Current version"},{"date":"2025-02-14T04:37:11Z","number":"6","summary":"Current version"},{"date":"2025-02-16T04:29:08Z","number":"7","summary":"Current version"},{"date":"2025-03-15T04:45:54Z","number":"8","summary":"Current version"}],"status":"interim","version":"8"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Package Hub 15 SP5","product":{"name":"SUSE Package Hub 15 SP5","product_id":"SUSE Package Hub 15 SP5"}},{"category":"product_name","name":"SUSE Package Hub 15 SP6","product":{"name":"SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6"}},{"category":"product_name","name":"openSUSE Leap 15.5","product":{"name":"openSUSE Leap 15.5","product_id":"openSUSE Leap 15.5","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.5"}}},{"category":"product_name","name":"openSUSE Leap 15.6","product":{"name":"openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.6"}}},{"category":"product_version","name":"jupyter-jupyterlab-2.2.10-bp155.2.3.1","product":{"name":"jupyter-jupyterlab-2.2.10-bp155.2.3.1","product_id":"jupyter-jupyterlab-2.2.10-bp155.2.3.1","product_identification_helper":{"purl":"pkg:rpm/suse/jupyter-jupyterlab@2.2.10-bp155.2.3.1"}}},{"category":"product_version","name":"jupyter-jupyterlab-2.2.10-bp156.3.3.1","product":{"name":"jupyter-jupyterlab-2.2.10-bp156.3.3.1","product_id":"jupyter-jupyterlab-2.2.10-bp156.3.3.1","product_identification_helper":{"purl":"pkg:rpm/suse/jupyter-jupyterlab@2.2.10-bp156.3.3.1"}}},{"category":"product_version","name":"python3-jupyterlab-2.2.10-bp155.2.3.1","product":{"name":"python3-jupyterlab-2.2.10-bp155.2.3.1","product_id":"python3-jupyterlab-2.2.10-bp155.2.3.1","product_identification_helper":{"purl":"pkg:rpm/suse/python3-jupyterlab@2.2.10-bp155.2.3.1"}}},{"category":"product_version","name":"python3-jupyterlab-2.2.10-bp156.3.3.1","product":{"name":"python3-jupyterlab-2.2.10-bp156.3.3.1","product_id":"python3-jupyterlab-2.2.10-bp156.3.3.1","product_identification_helper":{"purl":"pkg:rpm/suse/python3-jupyterlab@2.2.10-bp156.3.3.1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"jupyter-jupyterlab-2.2.10-bp155.2.3.1 as component of SUSE Package Hub 15 SP5","product_id":"SUSE Package Hub 15 SP5:jupyter-jupyterlab-2.2.10-bp155.2.3.1"},"product_reference":"jupyter-jupyterlab-2.2.10-bp155.2.3.1","relates_to_product_reference":"SUSE Package Hub 15 SP5"},{"category":"default_component_of","full_product_name":{"name":"python3-jupyterlab-2.2.10-bp155.2.3.1 as component of SUSE Package Hub 15 SP5","product_id":"SUSE Package Hub 15 SP5:python3-jupyterlab-2.2.10-bp155.2.3.1"},"product_reference":"python3-jupyterlab-2.2.10-bp155.2.3.1","relates_to_product_reference":"SUSE Package Hub 15 SP5"},{"category":"default_component_of","full_product_name":{"name":"jupyter-jupyterlab-2.2.10-bp156.3.3.1 as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:jupyter-jupyterlab-2.2.10-bp156.3.3.1"},"product_reference":"jupyter-jupyterlab-2.2.10-bp156.3.3.1","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"python3-jupyterlab-2.2.10-bp156.3.3.1 as component of SUSE Package Hub 15 SP6","product_id":"SUSE Package Hub 15 SP6:python3-jupyterlab-2.2.10-bp156.3.3.1"},"product_reference":"python3-jupyterlab-2.2.10-bp156.3.3.1","relates_to_product_reference":"SUSE Package Hub 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"jupyter-jupyterlab-2.2.10-bp155.2.3.1 as component of openSUSE Leap 15.5","product_id":"openSUSE Leap 15.5:jupyter-jupyterlab-2.2.10-bp155.2.3.1"},"product_reference":"jupyter-jupyterlab-2.2.10-bp155.2.3.1","relates_to_product_reference":"openSUSE Leap 15.5"},{"category":"default_component_of","full_product_name":{"name":"python3-jupyterlab-2.2.10-bp155.2.3.1 as component of openSUSE Leap 15.5","product_id":"openSUSE Leap 15.5:python3-jupyterlab-2.2.10-bp155.2.3.1"},"product_reference":"python3-jupyterlab-2.2.10-bp155.2.3.1","relates_to_product_reference":"openSUSE Leap 15.5"},{"category":"default_component_of","full_product_name":{"name":"jupyter-jupyterlab-2.2.10-bp156.3.3.1 as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:jupyter-jupyterlab-2.2.10-bp156.3.3.1"},"product_reference":"jupyter-jupyterlab-2.2.10-bp156.3.3.1","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"python3-jupyterlab-2.2.10-bp156.3.3.1 as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:python3-jupyterlab-2.2.10-bp156.3.3.1"},"product_reference":"python3-jupyterlab-2.2.10-bp156.3.3.1","relates_to_product_reference":"openSUSE Leap 15.6"}]},"vulnerabilities":[{"cve":"CVE-2024-43805","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-43805"}],"notes":[{"category":"general","text":"jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. This vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 have been patched to resolve this issue. Users are advised to upgrade. There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax-extension:plugin` - users will loose ability to preview mathematical equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users will loose ability to open Markdown previews. 3. `@jupyterlab/mathjax2-extension:plugin` (if installed with optional `jupyterlab-mathjax2` package) - an older version of the mathjax plugin for JupyterLab 4.x. To disable these extensions run: ```jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin && jupyter labextension disable @jupyterlab/mathjax-extension:plugin && jupyter labextension disable @jupyterlab/mathjax2-extension:plugin ``` in bash.","title":"CVE description"}],"product_status":{"recommended":["SUSE Package Hub 15 SP5:jupyter-jupyterlab-2.2.10-bp155.2.3.1","SUSE Package Hub 15 SP5:python3-jupyterlab-2.2.10-bp155.2.3.1","SUSE Package Hub 15 SP6:jupyter-jupyterlab-2.2.10-bp156.3.3.1","SUSE Package Hub 15 SP6:python3-jupyterlab-2.2.10-bp156.3.3.1","openSUSE Leap 15.5:jupyter-jupyterlab-2.2.10-bp155.2.3.1","openSUSE Leap 15.5:python3-jupyterlab-2.2.10-bp155.2.3.1","openSUSE Leap 15.6:jupyter-jupyterlab-2.2.10-bp156.3.3.1","openSUSE Leap 15.6:python3-jupyterlab-2.2.10-bp156.3.3.1"]},"references":[{"category":"external","summary":"CVE-2024-43805","url":"https://www.suse.com/security/cve/CVE-2024-43805"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1229914 for CVE-2024-43805","url":"https://bugzilla.suse.com/1229914"},{"category":"external","summary":"Advisory link for openSUSE-SU-2024:0352-1","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/AHLZGQA6FMW5UIO6ZBRWSGIB2JGKCLPB/"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["SUSE Package Hub 15 SP5:jupyter-jupyterlab-2.2.10-bp155.2.3.1","SUSE Package Hub 15 SP5:python3-jupyterlab-2.2.10-bp155.2.3.1","SUSE Package Hub 15 SP6:jupyter-jupyterlab-2.2.10-bp156.3.3.1","SUSE Package Hub 15 SP6:python3-jupyterlab-2.2.10-bp156.3.3.1","openSUSE Leap 15.5:jupyter-jupyterlab-2.2.10-bp155.2.3.1","openSUSE Leap 15.5:python3-jupyterlab-2.2.10-bp155.2.3.1","openSUSE Leap 15.6:jupyter-jupyterlab-2.2.10-bp156.3.3.1","openSUSE Leap 15.6:python3-jupyterlab-2.2.10-bp156.3.3.1"]}],"scores":[{"cvss_v3":{"baseScore":7.6,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L","version":"3.1"},"products":["SUSE Package Hub 15 SP5:jupyter-jupyterlab-2.2.10-bp155.2.3.1","SUSE Package Hub 15 SP5:python3-jupyterlab-2.2.10-bp155.2.3.1","SUSE Package Hub 15 SP6:jupyter-jupyterlab-2.2.10-bp156.3.3.1","SUSE Package Hub 15 SP6:python3-jupyterlab-2.2.10-bp156.3.3.1","openSUSE Leap 15.5:jupyter-jupyterlab-2.2.10-bp155.2.3.1","openSUSE Leap 15.5:python3-jupyterlab-2.2.10-bp155.2.3.1","openSUSE Leap 15.6:jupyter-jupyterlab-2.2.10-bp156.3.3.1","openSUSE Leap 15.6:python3-jupyterlab-2.2.10-bp156.3.3.1"]}],"threats":[{"category":"impact","date":"2024-08-28T22:00:23Z","details":"important"}],"title":"CVE-2024-43805"}]}