We use cookies to improve your experience on our site.
AVID-2026-R1507
Description
Remote Code Execution (RCE) vulnerability in jupyterlab extension template update-integration-tests GitHub Action (CVE-2024-39700)
Details
JupyterLab extension template is a copier template for JupyterLab extensions. Repositories created using this template with test option include update-integration-tests.yml workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to update-integration-tests.yml, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions while working on the upgrade. We recommend rebasing all open pull requests from untrusted users as actions may run using the version from the main branch at the time when the pull request was created. Users who are upgrading from template version prior to 4.3.0 may wish to leave out proposed changes to the release workflow for now as it requires additional configuration.
Reason for inclusion in AVID: The CVE describes a remote code execution (RCE) vulnerability in the jupyterlab extension-template’s GitHub Actions workflow (update-integration-tests.yml) generated by a copier template. This is a software supply chain issue because the template is used to scaffold AI-related projects (JupyterLab extensions) and the embedded GitHub Actions workflow can be exploited to execute arbitrary code in CI pipelines. The vulnerability concerns AI tooling and ML workflow stacks (JupyterLab/AI development) and affects components (templates/CI workflows) used to build/deploy AI software. CVE-2024-39700 details provide an RCE risk (CWE-94) with a complete advisory trail (NVD entry, GHSA advisory, commits) supporting sufficiency of evidence.
References
- NVD entry
- https://github.com/jupyterlab/extension-template/security/advisories/GHSA-45gq-v5wm-82wg
- https://github.com/jupyterlab/extension-template/commit/035e78c1c65bcedee97c95bb683abe59c96bc4e6
Affected or Relevant Artifacts
- Developer: jupyterlab
- Deployer: jupyterlab
- Artifact Details:
| Type | Name |
|---|---|
| System | extension-template |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Base Score | 10.0 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | NONE |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-94 | CWE-94: Improper Control of Generation of Code (‘Code Injection’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-07-16
- Version: 0.3.3
- AVID Entry