CVE-2018-8768: Jupyter Notebook file bypasses sanitization, executes JavaScript
7.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.31216%
CWE
-
Published
7/12/2018
Updated
9/27/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
notebook | pip | < 5.4.1 | 5.4.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability arises from sanitization occurring before jQuery
's DOM manipulation. The core issue is that Jupyter
's sanitize_html
function (or equivalent) failed to account for how jQuery
would reinterpret invalid HTML remnants after sanitization. This allowed malicious content to be reconstructed into executable JavaScript
during jQuery
's parsing phase. The high confidence stems from the described attack vector (sanitization bypass via post-sanitization DOM manipulation) and the logical location of such sanitization logic in Jupyter
's security-related JavaScript
files.