JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to `update-integration-tests.yml`, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions while working on the upgrade. We recommend rebasing all open pull requests from untrusted users as actions may run using the version from the `main` branch at the time when the pull request was created. Users who are upgrading from template version prior to 4.3.0 may wish to leave out proposed changes to the release workflow for now as it requires additional configuration.
Repositories created using the template with the `test` option enabled contain a vulnerable `update-integration-tests.yml` workflow file. An attacker can create a malicious pull request to a repository based on this template, and since GitHub Actions can be executed from the version found in the `main` branch at the time the pull request is opened, untrusted code can be executed in the CI/CD environment without required authorization.
An attacker can remotely execute arbitrary code in the CI/CD environment (GitHub Actions) of the victim's repository, which can lead to theft of secrets, modification of source code, or compromise of the entire deployment pipeline.
Update the extension template to the latest version and overwrite the `update-integration-tests.yml` file, then reapply your own changes. It is recommended to temporarily disable GitHub Actions during the update process. All open pull requests from untrusted users should be rebased. Users migrating from versions before 4.3.0 should skip the proposed changes in the release workflow until additional configuration is completed.
JupyterLab extension repositories created using the `jupyterlab/extension-template` template with the `test` option enabled, hosted on GitHub — in template versions before the latest patch (especially before version 4.3.0).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HJupyter Jupyterlab
APPJupyter< 4.3.0
Related vulnerabilities
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Noteb...
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Noteb...
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Noteb...
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Noteb...
JupyterLab is a user interface for Project Jupyter which will eventually replace the classic Jupyter Notebook....