Cross-site request forgery in ipython

1) Cross-site request forgery

EUVDB-ID: #VU38231

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2015-5607

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Cross-site request forgery in the REST API in IPython 2 and 3.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ipython: 2.0.0 - 3.2.3

Fedora: 2.0.0 - 22

CPE2.3

• cpe:2.3:a:ipython.org:ipython:2.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:ipython.org:ipython:2.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:ipython.org:ipython:2.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:ipython.org:ipython:2.3.1:*:*:*:*:*:*:*
• cpe:2.3:a:ipython.org:ipython:2.4.1:*:*:*:*:*:*:*
• cpe:2.3:a:ipython.org:ipython:3.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:ipython.org:ipython:3.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:ipython.org:ipython:3.2.3:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:2.0.0:*:*:*:*:*:*:*
• cpe:2.3:o:fedoraproject:fedora:2.1.0:*:*:*:*:*:*:*

External links

https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162671.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-July/162936.html
https://www.openwall.com/lists/oss-security/2015/07/21/3
https://bugzilla.redhat.com/show_bug.cgi?id=1243842
https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816
https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.