Headline
Debian Security Advisory 5422-1
Debian Linux Security Advisory 5422-1 - It was discovered that jupyter-core, the core common functionality for Jupyter projects, could execute arbitrary code in the current working directory while loading configuration files.
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5422-1 [email protected]://www.debian.org/security/ Aron XuJune 09, 2023 https://www.debian.org/security/faq- -------------------------------------------------------------------------Package : jupyter-coreCVE ID : CVE-2022-39286Debian Bug : 1023361It was discovered that jupyter-core, the core common functionality forJupyter projects, could execute arbitrary code in the current workingdirectory while loading configuration files.For the stable distribution (bullseye), this problem has been fixed inversion 4.7.1-1+deb11u1.We recommend that you upgrade your jupyter-core packages.For the detailed security status of jupyter-core please refer toits security tracker page at:https://security-tracker.debian.org/tracker/jupyter-coreFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: [email protected] PGP SIGNATURE-----iQEzBAEBCAAdFiEEhhz+aYQl/Bp4OTA7O1LKKgqv2VQFAmSC094ACgkQO1LKKgqv2VQqmAf7BuaSZZoh8XI6RUFVbwi0NSsFUVY0x4lLIUr49M+qpZoRsUxLAqjeAsqAnLONXNZeqRmL/lCL/4dZ1BvP0D3lW7DaKzP25D9HhamuBMo/8Uvcn/jKhTW+SwXG5qzJoN1XrHHN9ye/yFUd3em+wgZwlOUWVRAICTmnw0s1IA2Z1Urx5qIOD0wphuPwg2QeluVVXlhUDVm8fd0EHi2LupnukIfe4BnPvKtPPrt6wNYxiUEICrXsf21HV/xq07J3MmyJwNmJKw4+GhqDVhcbLW/tWwp51ux+nHXoHOR2GVILwVW1+qp24BOo6ecqG2VldohIy0T8eMebBH9ojICKHT+bpA===S5gL-----END PGP SIGNATURE-----Related news
Ubuntu Security Notice 6153-1 - It was discovered that Jupyter Core executed untrusted files in the current working directory. An attacker could possibly use this issue to execute arbitrary code.
Gentoo Linux Security Advisory 202301-4 - A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user. Versions less than 4.11.2 are affected.
### Impact _What kind of vulnerability is it? Who is impacted?_ We’d like to disclose an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in the current working directory. This vulnerability allows one user to run code as another. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to `jupyter_core>=4.11.2`. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No ### References _Are there any links users can visit to find out more?_ Similar advisory in [IPython](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.