Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities in bundled javascript libraries? #150

Closed
wshanks opened this issue Sep 13, 2022 · 10 comments
Closed

Vulnerabilities in bundled javascript libraries? #150

wshanks opened this issue Sep 13, 2022 · 10 comments

Comments

@wshanks
Copy link

wshanks commented Sep 13, 2022

A security scanning tool flagged a few of the bundled javascript libraries in notebook version 6.4.12 as insecure. From what I understand, going forward notebook will draw its javascript components from this package. Should these components be updated or have the vulnerabilities been considered and deemed not applicable to notebook/nbclassic? Sorry if this is noise. I just wanted to pass along what I noticed.

Here is a summary:

  • CodeMirror less than 5.58.2 CVE
  • marked less than 1.1.1 Patch (no CVE)
  • jquery-ui less than 1.13.0 CVE, CVE2, CVE3.
  • underscore less than 1.13.0-2 CVE
@echarles
Copy link
Member

@RRosio I think this has been addressed in #152

Can you please confirm?

@RRosio
Copy link
Collaborator

RRosio commented Oct 11, 2022

@echarles Yes I can confirm that! Those changes addressed this issue so with that I think we can close this! Thank you @wshanks for submitting this issue and bringing these CVEs to our attention! For future reference I would like to add here a link to the Jupyter Security outline on handling reporting CVEs https://jupyter.org/security

@RRosio RRosio closed this as completed Oct 11, 2022
@wshanks
Copy link
Author

wshanks commented Oct 11, 2022

Thanks, @RRosio! Sorry, when I opened this, I was thinking of these as annoying nags from a scanning tool rather than actual security vulnerabilities, but I will follow jupyter.org/security next time.

@wshanks
Copy link
Author

wshanks commented Dec 2, 2022

@RRosio Following the recommendation from https://jupyter.org/security, I tried sending an email to [email protected] about another JS library with CVE's, but the email was bounced by Google Groups. From jupyter/security#14, I would guess it was getting too much spam and closed outside email? Do you have a recommendation for how I should report the library? I can open another issue like this one if you want. I see that someone did that in #183.

@RRosio
Copy link
Collaborator

RRosio commented Dec 3, 2022

Hi @wshanks, thank you for reaching out here. We really do appreciate security vulnerabilities being reported through the process outlined by the security committee, unless they are unexpectedly reported as an issue. It seems like some of us may be receiving the email from Google indicating that our email has bounced back but it has actually made it through to the group. We are not sure why this issue is happening, but I believe that you should be receiving a reply to your report soon!

@wshanks
Copy link
Author

wshanks commented Jan 20, 2023

I haven't seen any reply so far. There is still one JS library with CVE's opened against it. Also, #183 addressed a CVE in another JS library, but there has been no release since that was merged.

I am just giving an update and not trying to nag 🙂 Personally, I can't use nbclassic at work when it contains CVE's, so it would be nice to address them, but I can survive.

@echarles
Copy link
Member

We have also merged https://github.com/jupyter/nbclassic/pull/152/files which upgrades some other js libs.

As soon as #195 is done, we will cut a release. Does the current main branch addresses the CVE you have identified? If not, what else should we do before the release?

@RRosio
Copy link
Collaborator

RRosio commented Jan 21, 2023

Correct me if I'm wrong @wshanks, but I believe based on your comments earlier that there is another JS dependency that you were emailing about, which was not initially reported in this issue and therefore not addressed in #152. Apologies about not receiving a reply after emailing the security group-email. I don't have access to it myself.

@echarles I had initially suggested that @wshanks email the security group-email to report an additional JS dependency vulnerability, however it seems Will has not yet received a reply, and I don't know who has received communication of this vulnerability. Would it be best to have that reported in an issue so that the upcoming release includes the upgrade?

@echarles
Copy link
Member

@wshanks could you open a separated issue with the JS dep(s) that need to be upgraded before the upcoming release? Thx

@wshanks
Copy link
Author

wshanks commented Jan 22, 2023

Thanks @echarles and @RRosio, I opened #200 for the remaining JS dep.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants