CVE-2022-39286 Jupyter Core is a package for core common functionality of Jupyter projects. Jupyter Core contains an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in CWD.

If you use an earlier version than 4.11.2, you should upgrade as soon as possible.

CVE-2018-1000936: Arbitrary code execution through `jupyter_core` in CWD An arbitrary code execution vulnerability in `jupyter_core` allows an attacker to execute code with the privileges of the user running `jupyter_core`. The vulnerability stems from `jupyter_core` executing untrusted files in CWD. It was discovered that `jupyter_core` was setting the `X_XQM_SERVER_ROOT` environment variable to the current working directory of the process that is executing `jupyter_core`. An attacker can craft a malicious Python script that sets the `X_XQM_SERVER_ROOT` environment variable such that when `jupyter_core` runs the malicious script, it will execute code in the context of the user `jupyter_core` is running as. This issue has been resolved in version 4.11.2. If you are using an earlier version, you should upgrade as soon as possible. An upgrade is simple and safe. You can upgrade `jupyter_core` by running `pip install -- upgrade jupyter_core` on the command line. This upgrade is safe and simple.

References !--- https://github.com/ipython/ipython/issues/39286

https://github.com/ipython/jupyter_core/commit/7e8a0d6f3aaa325ddc3e314941d59fb761b2a6ea

Mitigation Strategies

To mitigate this vulnerability, you should ensure that your Python scripts are signed by a trusted authority. If your Python scripts are not signed in this way, you should consider using the `signall` library to sign your scripts. Additionally, you should use a different method for setting environment variables like `X_XQM_SERVER_ROOT` that does not rely on executing malicious scripts.

What version of Jupyter is vulnerable?

Jupyter 4.11.2 is the only version that is vulnerable to this issue. If you are using a version of Jupyter earlier than 4.11.2, you are not vulnerable to this issue and should not be worried about it at all.

How To Avoid The 5 Most Common Mistakes When Outsourcing SEO

Mitigation

If you are not using version 4.11.2, or if you have updated to that version and are still experiencing this issue you should disable the environment variable `X_XQM_SERVER_ROOT`. You can do so by running the following command in a Python interpreter that has `jupyter_core` installed:

import os
os.environ["X_XQM_SERVER_ROOT"] = "."
Optionally, to avoid setting an environment variable on every single Python file that starts with a `#!`, you can use the following uppercase command:

import os; os.environ["X_XQM_SERVER_ROOT"] = "."

Timeline

Published on: 10/26/2022 20:15:00 UTC
Last modified on: 11/17/2022 14:15:00 UTC

References

• https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283
• https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp
• https://lists.debian.org/debian-lts-announce/2022/11/msg00022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39286