CVE-2024-39700

Name of the Vulnerable Software and Affected Versions JupyterLab extension template versions prior to 4.3.0

Description The JupyterLab extension template has a remote code execution (RCE) vulnerability in the update-integration-tests.yml workflow. This issue affects repositories created using the template with the test option. Extension authors are advised to upgrade the template to the latest version. Users who have modified the update-integration-tests.yml file should accept overwriting of this file and reapply their changes later. It is recommended to temporarily disable GitHub Actions while working on the upgrade and to rebase all open pull requests from untrusted users.

Recommendations For versions prior to 4.3.0, upgrade the template to the latest version, overwriting the update-integration-tests.yml file if necessary, and reapply any changes made to this file later. As a temporary workaround, consider disabling GitHub Actions until the upgrade is complete. Restrict access to untrusted users' pull requests and rebase them to ensure actions run with the updated version.