Platform
python
Component
jupyterlab/extension-template
Opgelost in
4.3.4
CVE-2024-39700 describes a Remote Code Execution (RCE) vulnerability found in the JupyterLab extension template. This flaw allows attackers to potentially execute arbitrary code within the GitHub Actions workflow. The vulnerability affects versions of the template up to and including 4.3.3. A fix is available in version 4.3.3.
The vulnerability lies within the update-integration-tests.yml workflow included in repositories created using the vulnerable JupyterLab extension template. An attacker who can influence the contents of this file, for example, through a malicious pull request or by compromising a developer's account, could inject arbitrary commands into the workflow. Successful exploitation could lead to complete system compromise, allowing the attacker to execute code with the privileges of the GitHub Actions runner. The blast radius extends to any environment utilizing extensions built with this vulnerable template, particularly those leveraging GitHub Actions for continuous integration and deployment.
This vulnerability was publicly disclosed on 2024-07-16. While no active exploitation campaigns have been publicly reported, the ease of exploitation and the widespread use of GitHub Actions make this a high-priority concern. The vulnerability's presence in a template used for extension development increases the potential for supply chain attacks. It is not currently listed on the CISA KEV catalog.
Developers and organizations using the JupyterLab extension template to create new extensions are at immediate risk. Specifically, teams relying on GitHub Actions for continuous integration and deployment are particularly vulnerable, as the workflow is the direct attack vector. Shared hosting environments where multiple developers contribute to the same repository are also at increased risk.
• python: Examine GitHub Actions workflows (.github/workflows/update-integration-tests.yml) for suspicious commands or scripts.
- name: Check for malicious commands
run: grep -ri 'curl|wget|powershell' .github/workflows/• generic web: Monitor GitHub repositories using the vulnerable template for unusual activity or unexpected code changes within the update-integration-tests.yml file.
• supply-chain: Review dependencies and pull requests in JupyterLab extension projects for potential malicious contributions to the update-integration-tests.yml workflow.
Public Disclosure
Exploit Status
EPSS
3.92% (88% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade the JupyterLab extension template to version 4.3.3 or later. If an immediate upgrade is not feasible, temporarily disabling GitHub Actions while working on the upgrade is recommended. For users who have modified the update-integration-tests.yml file, carefully review and sanitize any changes to prevent malicious code injection. Rebasing open pull requests from untrusted users is also a crucial step to ensure no malicious code is introduced during the upgrade process. After upgrading, confirm the absence of the vulnerable workflow by inspecting the repository’s GitHub Actions configuration.
Actualiseer de JupyterLab extensie template naar versie 4.3.3 of hoger. Als u wijzigingen heeft aangebracht in het bestand `update-integration-tests.yml`, bewaar dan een kopie, actualiseer de template en pas vervolgens uw wijzigingen opnieuw toe. Overweeg om GitHub Actions tijdelijk uit te schakelen terwijl u de update uitvoert.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-39700 is a critical Remote Code Execution vulnerability in the JupyterLab extension template affecting versions up to 4.3.3. It allows attackers to execute arbitrary code through the update-integration-tests.yml workflow.
You are affected if you are using the JupyterLab extension template version 4.3.3 or earlier and have not upgraded. Review your project's dependencies and GitHub Actions workflows.
Upgrade the JupyterLab extension template to version 4.3.3 or later. Temporarily disable GitHub Actions while upgrading if immediate upgrade is not possible.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a high-priority concern.
Refer to the official JupyterLab project's security advisories and GitHub repository for updates and guidance: https://github.com/jupyterlab/extension-template/security/advisories
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.