{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"MEDIUM" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab version 4.0.11 has been patched. Users are advised to upgrade. Users unable to upgrade should disable the table of contents extension.", "category":"general", "title":"Synopsis" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22420" }, { "summary":"CVE-2024-22420 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2024/csaf-openeuler-cve-2024-22420.json" }, { "summary":"openEuler-SA-2025-1239", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1239" }, { "summary":"CVE-2024-22420", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-22420&packageName=python-jupyterlab" }, { "summary":"openEuler-SA-2025-1240", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1240" } ], "title":"openEuler cve CVE-2024-22420", "tracking":{ "initial_release_date":"2025-03-07T23:30:41+08:00", "revision_history":[ { "date":"2025-03-07T23:30:41+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-03-07T23:30:41+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-03-07T23:30:41+08:00", "id":"CVE-2024-22420", "version":"1.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"openEuler-24.03-LTS", "name":"openEuler-24.03-LTS" }, "name":"openEuler-24.03-LTS", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python-jupyterlab-4.3.5-1.oe2403.src.rpm", "name":"python-jupyterlab-4.3.5-1.oe2403.src.rpm" }, "name":"python-jupyterlab-4.3.5-1.oe2403.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python-jupyterlab-4.3.5-1.oe2403sp1.src.rpm", "name":"python-jupyterlab-4.3.5-1.oe2403sp1.src.rpm" }, "name":"python-jupyterlab-4.3.5-1.oe2403sp1.src.rpm", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS" }, "product_id":"python3-jupyterlab-4.3.5-1.oe2403.noarch.rpm", "name":"python3-jupyterlab-4.3.5-1.oe2403.noarch.rpm" }, "name":"python3-jupyterlab-4.3.5-1.oe2403.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"python3-jupyterlab-4.3.5-1.oe2403sp1.noarch.rpm", "name":"python3-jupyterlab-4.3.5-1.oe2403sp1.noarch.rpm" }, "name":"python3-jupyterlab-4.3.5-1.oe2403sp1.noarch.rpm", "category":"product_version" } ], "category":"product_name" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python-jupyterlab-4.3.5-1.oe2403.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python-jupyterlab-4.3.5-1.oe2403.src", "name":"python-jupyterlab-4.3.5-1.oe2403.src as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS", "product_reference":"python3-jupyterlab-4.3.5-1.oe2403.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS:python3-jupyterlab-4.3.5-1.oe2403.noarch", "name":"python3-jupyterlab-4.3.5-1.oe2403.noarch as a component of openEuler-24.03-LTS" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python3-jupyterlab-4.3.5-1.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python3-jupyterlab-4.3.5-1.oe2403sp1.noarch", "name":"python3-jupyterlab-4.3.5-1.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"python-jupyterlab-4.3.5-1.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:python-jupyterlab-4.3.5-1.oe2403sp1.src", "name":"python-jupyterlab-4.3.5-1.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2024-22420", "notes":[ { "text":"JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. JupyterLab version 4.0.11 has been patched. Users are advised to upgrade. Users unable to upgrade should disable the table of contents extension.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS:python-jupyterlab-4.3.5-1.oe2403.src", "openEuler-24.03-LTS:python3-jupyterlab-4.3.5-1.oe2403.noarch", "openEuler-24.03-LTS-SP1:python3-jupyterlab-4.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:python-jupyterlab-4.3.5-1.oe2403sp1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS:python-jupyterlab-4.3.5-1.oe2403.src", "openEuler-24.03-LTS:python3-jupyterlab-4.3.5-1.oe2403.noarch" ], "details":"python-jupyterlab security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1239" }, { "product_ids":[ "openEuler-24.03-LTS-SP1:python3-jupyterlab-4.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:python-jupyterlab-4.3.5-1.oe2403sp1.src" ], "details":"python-jupyterlab security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1240" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.1, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS:python-jupyterlab-4.3.5-1.oe2403.src", "openEuler-24.03-LTS:python3-jupyterlab-4.3.5-1.oe2403.noarch", "openEuler-24.03-LTS-SP1:python3-jupyterlab-4.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:python-jupyterlab-4.3.5-1.oe2403sp1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2024-22420" } ] }