nvd-json-data-feeds/CVE-2025/CVE-2025-232xx/CVE-2025-23205.json

{
  "id": "CVE-2025-23205",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2025-01-17T21:15:11.850",
  "lastModified": "2025-01-17T21:15:11.850",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "nbgrader is a system for assigning and grading notebooks. Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has _full access_ to the contents of the page served by formgrader using Bob's credentials. This issue has been addressed in release 0.9.5 and all users are advised to upgrade. Users unable to upgrade may disable `frame-ancestors: self`, or enable per-user and per-service subdomains with `JupyterHub.enable_subdomains = True` (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame)."
    },
    {
      "lang": "es",
      "value": "nbgrader es un sistema para asignar y calificar cuadernos. Habilitar framework-ancestors: 'self' otorga a cualquier usuario de JupyterHub la capacidad de extraer contenido de formgrader enviando enlaces maliciosos a usuarios con acceso a formgrader, al menos cuando se usa la configuraci\u00f3n predeterminada de JupyterHub de `enable_subdomains = False`. #1915 deshabilita una protecci\u00f3n que permitir\u00eda al usuario Alice manipular una p\u00e1gina que incorpore formgrader en un IFrame. Si Bob visita esa p\u00e1gina, se enviar\u00e1n sus credenciales y se cargar\u00e1 la p\u00e1gina formgrader. Debido a que la p\u00e1gina de Alice est\u00e1 en el mismo origen que el iframe formgrader, Javasript en la p\u00e1gina de Alice tiene _acceso completo_ al contenido de la p\u00e1gina servida por formgrader usando las credenciales de Bob. Este problema se ha solucionado en la versi\u00f3n 0.9.5 y se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar pueden deshabilitar frame-ancestors: self o habilitar subdominios por usuario y por servicio con JupyterHub.enable_subdomains = True (luego, incluso si se permite la incrustaci\u00f3n en un IFrame, la p\u00e1gina del host no tiene acceso al contenido del frame)."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "privilegesRequired": "LOW",
          "userInteraction": "PASSIVE",
          "vulnerableSystemConfidentiality": "HIGH",
          "vulnerableSystemIntegrity": "NONE",
          "vulnerableSystemAvailability": "NONE",
          "subsequentSystemConfidentiality": "NONE",
          "subsequentSystemIntegrity": "NONE",
          "subsequentSystemAvailability": "NONE",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirements": "NOT_DEFINED",
          "integrityRequirements": "NOT_DEFINED",
          "availabilityRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
          "modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
          "modifiedVulnerableSystemAvailability": "NOT_DEFINED",
          "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
          "modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
          "modifiedSubsequentSystemAvailability": "NOT_DEFINED",
          "safety": "NOT_DEFINED",
          "automatable": "NOT_DEFINED",
          "recovery": "NOT_DEFINED",
          "valueDensity": "NOT_DEFINED",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "providerUrgency": "NOT_DEFINED"
        }
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/jupyter/nbgrader/commit/73e137511ac1dc02e95790d4fd6d4d88dab42325",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/jupyter/nbgrader/pull/1915",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/jupyter/nbgrader/security/advisories/GHSA-fcr8-4r9f-r66m",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors",
      "source": "security-advisories@github.com"
    }
  ]
}