Plateforme
python
Composant
jupyterlab/extension-template
Corrigé dans
4.3.4
CVE-2024-39700 describes a Remote Code Execution (RCE) vulnerability found in the JupyterLab extension template. This flaw allows attackers to potentially execute arbitrary code within the GitHub Actions workflow. The vulnerability affects versions of the template up to and including 4.3.3. A fix is available in version 4.3.3.
The vulnerability lies within the update-integration-tests.yml workflow included in repositories created using the vulnerable JupyterLab extension template. An attacker who can influence the contents of this file, for example, through a malicious pull request or by compromising a developer's account, could inject arbitrary commands into the workflow. Successful exploitation could lead to complete system compromise, allowing the attacker to execute code with the privileges of the GitHub Actions runner. The blast radius extends to any environment utilizing extensions built with this vulnerable template, particularly those leveraging GitHub Actions for continuous integration and deployment.
This vulnerability was publicly disclosed on 2024-07-16. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the widespread use of GitHub Actions make this a high-priority concern. The vulnerability's presence in a template used for extension development increases the potential for supply chain attacks. It is not currently listed on the CISA KEV catalog.
Developers and organizations using the JupyterLab extension template to create new extensions are at immediate risk. Specifically, teams relying on GitHub Actions for continuous integration and deployment are particularly vulnerable, as the workflow is the direct attack vector. Shared hosting environments where multiple developers contribute to the same repository are also at increased risk.
• python: Examine GitHub Actions workflows (.github/workflows/update-integration-tests.yml) for suspicious commands or scripts.
- name: Check for malicious commands
run: grep -ri 'curl|wget|powershell' .github/workflows/• generic web: Monitor GitHub repositories using the vulnerable template for unusual activity or unexpected code changes within the update-integration-tests.yml file.
• supply-chain: Review dependencies and pull requests in JupyterLab extension projects for potential malicious contributions to the update-integration-tests.yml workflow.
Public Disclosure
Statut de l'Exploit
EPSS
3.92% (percentile 88%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade the JupyterLab extension template to version 4.3.3 or later. If an immediate upgrade is not feasible, temporarily disabling GitHub Actions while working on the upgrade is recommended. For users who have modified the update-integration-tests.yml file, carefully review and sanitize any changes to prevent malicious code injection. Rebasing open pull requests from untrusted users is also a crucial step to ensure no malicious code is introduced during the upgrade process. After upgrading, confirm the absence of the vulnerable workflow by inspecting the repository’s GitHub Actions configuration.
Mettez à jour le modèle d'extension JupyterLab à la version 4.3.3 ou supérieure. Si vous avez apporté des modifications au fichier `update-integration-tests.yml`, enregistrez une copie, mettez à jour le modèle, puis réappliquez vos modifications. Envisagez de désactiver temporairement GitHub Actions pendant la mise à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-39700 is a critical Remote Code Execution vulnerability in the JupyterLab extension template affecting versions up to 4.3.3. It allows attackers to execute arbitrary code through the update-integration-tests.yml workflow.
You are affected if you are using the JupyterLab extension template version 4.3.3 or earlier and have not upgraded. Review your project's dependencies and GitHub Actions workflows.
Upgrade the JupyterLab extension template to version 4.3.3 or later. Temporarily disable GitHub Actions while upgrading if immediate upgrade is not possible.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official JupyterLab project's security advisories and GitHub repository for updates and guidance: https://github.com/jupyterlab/extension-template/security/advisories
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier requirements.txt et nous te dirons instantanément si tu es affecté.