CVE-2014-3429
NONE
Published Aug 7, 201411y ago · Modified Jun 17, 20262w ago
Published Aug 7, 2014 11y ago
Last Modified Jun 17, 2026 2w ago
Description
IPython Notebook 0.12 through 1.x before 1.2 does not validate the origin of websocket requests, which allows remote attackers to execute arbitrary code by leveraging knowledge of the kernel id and a crafted page.
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
Affected Products 11
| Vendor | Product | Version | Range |
|---|---|---|---|
| opensuse | opensuse | 13.1 | any |
| opensuse | opensuse | 13.2 | any |
| ipython | ipython_notebook | 0.12 | any |
| ipython | ipython_notebook | 0.12.1 | any |
| ipython | ipython_notebook | 0.13 | any |
| ipython | ipython_notebook | 0.13.1 | any |
| ipython | ipython_notebook | 0.13.2 | any |
| ipython | ipython_notebook | 1.0.0 | any |
| ipython | ipython_notebook | 1.1.0 | any |
| mageia | mageia | 3.0 | any |
| mageia | mageia | 4.0 | any |
References 9
- advisories.mageia.org http://advisories.mageia.org/MGASA-2014-0320.html
- lambdaops.com http://lambdaops.com/cross-origin-websocket-hijacking-of-ipython
- lists.opensuse.org http://lists.opensuse.org/opensuse-updates/2014-08/msg00039.html
- permalink.gmane.org http://permalink.gmane.org/gmane.comp.python.ipython.devel/13198
- seclists.org http://seclists.org/oss-sec/2014/q3/152
- mandriva.com http://www.mandriva.com/security/advisories?name=MDVSA-2015:160
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=1119890
- exchange.xforce.ibmcloud.com https://exchange.xforce.ibmcloud.com/vulnerabilities/94497
- github.com https://github.com/ipython/ipython/pull/4845
Remediation
- github.com https://github.com/ipython/ipython/pull/4845