python · jupyter-serverCrítico
jupyter-server: XSS fix in nbconvert HTTP handlers
Fixed stored XSS vulnerability in nbconvert HTTP handlers where user-authored notebook HTML was rendered without a sandbox directive in Content-Security-Policy,
O que mudou
Fixed stored XSS vulnerability in nbconvert HTTP handlers where user-authored notebook HTML was rendered without a sandbox directive in Content-Security-Policy, allowing token exfiltration and kernel RCE.
Quem isso afeta
All users of jupyter_server prior to v2.20.0 who serve untrusted notebooks via /nbconvert/html/.
O que fazer hoje
Atualize para jupyter_server v2.20.0 ou aplique o workaround em jupyter_server_config.py.
A esteira
Coletado→
Auditado→
Redigido→
Publicado