JupyterLab Users Beware: Clickjacking Vulnerability Exposes Tokens

CVECVE-2024-22421
CVSScvssV3_1: 7.6
SourceCVE-2024-22421

JupyterLab is a popular open-source web application used for interactive data science and scientific computing. Security researchers recently discovered a clickjacking vulnerability in older versions of JupyterLab that could allow malicious actors to steal users’ authentication tokens.

The vulnerability affects JupyterLab versions prior to 4.1.0b2, 4.0.11, and 3.6.7 and stems from how the application handles redirects. When a user clicks a malicious link, their browser could be tricked into sending the user’s authorization and anti-CSRF tokens to a third-party site. These tokens would then grant the attacker access to the user’s JupyterLab session and any notebooks or data accessible through it.

Clickjacking, also known as a “UI redress attack”, is a technique where an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. This vulnerability in JupyterLab’s redirect handling could enable such an attack.

To protect themselves, JupyterLab users should upgrade to the latest patched versions 4.1.0b2 or later immediately. Users should also be cautious of unexpected links or emails claiming to be related to JupyterLab or associated projects. Staying on top of software updates is one of the best ways to defend against vulnerabilities like this. With proactive patching, JupyterLab users can continue to leverage the powerful data science platform securely.

References