Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
"allows one user to run code as another", another unprivileged user or
potentially the root user?
Please stabilize 4.11.2.
(In reply to John Helmert III from comment #1)
> Please cleanup
It seems to be clean.
GLSA request filed
The bug has been referenced in the following commit(s):
Author: GLSAMaker <firstname.lastname@example.org>
AuthorDate: 2023-01-11 05:17:06 +0000
Commit: John Helmert III <email@example.com>
CommitDate: 2023-01-11 05:22:05 +0000
[ GLSA 202301-04 ] jupyter_core: Arbitrary Code Execution
Signed-off-by: GLSAMaker <firstname.lastname@example.org>
Signed-off-by: John Helmert III <email@example.com>
glsa-202301-04.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
GLSA released, all done!