Krassowski

**Name of the Vulnerable Software and Affected Versions** JupyterLab versions prior to 3.6.8 JupyterLab versions prior to 4.2.5 Jupyter Notebook versions prior to 7.2.2 **Description** This issue depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. **Recommendations** To resolve the issue, upgrade to JupyterLab version 3.6.8, 4.2.5 or later, or Jupyter Notebook version 7.2.2 or later. As a temporary workaround, consider disabling the following plugins: - `@jupyterlab/mathjax-extension:plugin` to prevent previewing mathematical equations - `@jupyterlab/markdownviewer-extension:plugin` to prevent opening Markdown previews - `@jupyterlab/mathjax2-extension:plugin` (if installed) to prevent using an older version of the mathjax plugin for JupyterLab 4.x To disable these extensions, run the following commands in bash: jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin jupyter labextension disable @jupyterlab/mathjax-extension:plugin jupyter labextension disable @jupyterlab/mathjax2-extension:plugin

**Name of the Vulnerable Software and Affected Versions** Jupyter Scheduler versions 1.0.0 through 1.1.5 Jupyter Scheduler version 1.2.0 Jupyter Scheduler versions 1.3.0 through 1.8.1 Jupyter Scheduler versions 2.0.0 through 2.5.1 **Description** Jupyter Scheduler is a collection of extensions for programming jobs to run now or run on a schedule. The list of conda environments of `jupyter-scheduler` users may be exposed, potentially revealing information about projects that a specific user may be working on. This issue is caused by a missing authentication check in Jupyter Server on the API endpoint `GET /scheduler/runtime environments`, which lists the names of the Conda environments on the server. An unauthenticated user can obtain the list of Conda environment names on the server, revealing any information that may be present in a Conda environment name. **Recommendations** For Jupyter Scheduler versions 1.0.0 through 1.1.5, update to version 1.1.6. For Jupyter Scheduler version 1.2.0, update to version 1.2.1. For Jupyter Scheduler versions 1.3.0 through 1.8.1, update to version 1.8.2. For Jupyter Scheduler versions 2.0.0 through 2.5.1, update to version 2.5.2. As a temporary workaround, server operators who are unable to upgrade can disable the `jupyter-scheduler` extension with the command `jupyter server extension disable jupyter-scheduler`.

**Name of the Vulnerable Software and Affected Versions** JupyterLab versions prior to 4.0.11 **Description** This issue depends on user interaction by opening a malicious Markdown file using JupyterLab's preview feature. A malicious user can access any data that the attacked user has access to and perform arbitrary requests acting as the attacked user. **Recommendations** For versions prior to 4.0.11, upgrade to version 4.0.11 or later. As a temporary workaround for users unable to upgrade, disable the table of contents extension by running `jupyter labextension disable @jupyterlab/toc-extension:registry` in the terminal.