Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian LTS: Security Advisory for ipython (DLA-2896-1)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update for the 'ipython' package(s) announced via the DLA-2896-1 advisory.
Insight
Insight
It was discovered that there was a potential arbitrary code execution vulnerability in IPython, the interactive Python shell. This issue stemmed from IPython executing untrusted files in the current working directory. According to upstream: Almost all versions of IPython looks for configuration and profiles in current working directory. Since IPython was developed before pip and environments existed, it was used a convenient way to load code/packages in a project dependant way. In 2022, it is not necessary anymore, and can lead to confusing behavior where for example cloning a repository and starting IPython or loading a notebook from any Jupyter-Compatible interface that has ipython set as a kernel can lead to code execution. To address this problem, the current working directory is no longer searched for profiles or configuration files.
Affected Software
Affected Software
'ipython' package(s) on Debian Linux.
Detection Method
Detection Method
Checks if a vulnerable package version is present on the target host.
Solution
Solution
For Debian 9 'Stretch', this problem has been fixed in version 5.1.0-3+deb9u1. We recommend that you upgrade your ipython packages.