Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link.
The vulnerability classified as CWE-601 (Open Redirect) is exploited by embedding a malicious link in the Markdown content within an Nteract notebook. The application improperly processes or validates the content of such links, leading to unauthorized code execution on the victim's machine. Public proof-of-concept (PoC) code is available in the EQSTLab repository on GitHub.
An attacker can gain full control over the victim's system — the vulnerability provides a high level of impact on confidentiality, integrity, and system availability, which corresponds to the ability to execute arbitrary code with application privileges.
Patches available from the vendor should be applied according to references. Avoid opening Nteract notebooks from untrusted sources until updates are applied.
Nteract version 0.28.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNteract
APPNteract0.28.0