Platform
python
Component
jupyterlab/extension-template
Fixed in
4.3.4
CVE-2024-39700 describes a Remote Code Execution (RCE) vulnerability found in the JupyterLab extension template. This flaw allows attackers to potentially execute arbitrary code within the GitHub Actions workflow. The vulnerability affects versions of the template up to and including 4.3.3. A fix is available in version 4.3.3.
The vulnerability lies within the update-integration-tests.yml workflow included in repositories created using the vulnerable JupyterLab extension template. An attacker who can influence the contents of this file, for example, through a malicious pull request or by compromising a developer's account, could inject arbitrary commands into the workflow. Successful exploitation could lead to complete system compromise, allowing the attacker to execute code with the privileges of the GitHub Actions runner. The blast radius extends to any environment utilizing extensions built with this vulnerable template, particularly those leveraging GitHub Actions for continuous integration and deployment.
This vulnerability was publicly disclosed on 2024-07-16. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the widespread use of GitHub Actions make this a high-priority concern. The vulnerability's presence in a template used for extension development increases the potential for supply chain attacks. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
3.92% (88% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the JupyterLab extension template to version 4.3.3 or later. If an immediate upgrade is not feasible, temporarily disabling GitHub Actions while working on the upgrade is recommended. For users who have modified the update-integration-tests.yml file, carefully review and sanitize any changes to prevent malicious code injection. Rebasing open pull requests from untrusted users is also a crucial step to ensure no malicious code is introduced during the upgrade process. After upgrading, confirm the absence of the vulnerable workflow by inspecting the repository’s GitHub Actions configuration.
Update the JupyterLab extension template to version 4.3.3 or higher. If you have made changes to the `update-integration-tests.yml` file, save a copy, update the template, and then re-apply your changes. Consider temporarily disabling GitHub Actions while performing the upgrade.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-39700 is a critical Remote Code Execution vulnerability in the JupyterLab extension template affecting versions up to 4.3.3. It allows attackers to execute arbitrary code through the update-integration-tests.yml workflow.
You are affected if you are using the JupyterLab extension template version 4.3.3 or earlier and have not upgraded. Review your project's dependencies and GitHub Actions workflows.
Upgrade the JupyterLab extension template to version 4.3.3 or later. Temporarily disable GitHub Actions while upgrading if immediate upgrade is not possible.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official JupyterLab project's security advisories and GitHub repository for updates and guidance: https://github.com/jupyterlab/extension-template/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.