CVE-2021-32798

Name of the Vulnerable Software and Affected Versions Jupyter Notebook versions prior to 5.7.11 Jupyter Notebook versions prior to 6.4.1

Description The issue is related to the incorrect filtering of special symbols in the Caja component of the Jupyter Notebook environment, allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. In affected versions, an untrusted notebook can execute code on load, and Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook, allowing an attacker to execute arbitrary code on the victim's computer using Jupyter APIs.

Recommendations For versions prior to 5.7.11, update to version 5.7.11 or later. For versions prior to 6.4.1, update to version 6.4.1 or later. As a temporary workaround, consider restricting the execution of untrusted notebooks to minimize the risk of exploitation. Avoid opening malicious ipynb documents in Jupyter Notebook until the issue is resolved.