CVE-2014-3429

Sažetak

IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.

Reference

http://advisories.mageia.org/MGASA-2014-0320.html
http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html
http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
http://seclists.org/oss-sec/2014/q3/152
http://www.mandriva.com/security/advisories?name=MDVSA-2015:160
https://bugzilla.redhat.com/show_bug.cgi?id=1119890
https://exchange.xforce.ibmcloud.com/vulnerabilities/94497
https://github.com/ipython/ipython/pull/4845

CVSS

Base:	6.8
Impact:	6.4
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

30-10-2018 - 16:27

Objavljeno

07-08-2014 - 11:13