SCA: security update for jupyterlab, notebook (GHSA-9q39-rmj3-p4r2)

high Tenable Self-Hosted Container Security Plugin ID 413410

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter
Notebook Architecture. This vulnerability depends on user interaction by opening a malicious notebook with
Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data
that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.
JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 have been patched to resolve this issue. Users are
advised to upgrade. There is no workaround for the underlying DOM Clobbering susceptibility. However,
select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the
risk. These are: 1. `@jupyterlab/mathjax-extension:plugin` - users will loose ability to preview
mathematical equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users will loose ability to
open Markdown previews. 3. `@jupyterlab/mathjax2-extension:plugin` (if installed with optional
`jupyterlab-mathjax2` package) - an older version of the mathjax plugin for JupyterLab 4.x. To disable
these extensions run: ```jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin &&
jupyter labextension disable @jupyterlab/mathjax-extension:plugin && jupyter labextension disable
@jupyterlab/mathjax2-extension:plugin ``` in bash. (CVE-2024-43805)

See Also

https://github.com/advisories/GHSA-9q39-rmj3-p4r2

Plugin Details

Severity: High

ID: 413410

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 1/27/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-43805

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.8

Threat Score: 6.8

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/29/2024

Vulnerability Publication Date: 8/28/2024

Reference Information

CVE: CVE-2024-43805

IAVB: 2024-B-0128

cwe: CWE-79