CVE-2015-5607: CSRF

Published Jul 16, 2015
·
Updated

Cross-site request forgery in the REST API in IPython 2 and 3.

Other sources

IPython (Interactive Python) is a command shell. Cross-site request forgery in the REST API is possible in in IPython 2 and 3. Versions 2.4.1 and 3.2.3 contain patches.

GitHub

POST requests exposed via the IPython REST API are vulnerable to cross-site request forgery (CSRF). Web pages on different domains can make non-AJAX POST requests to known IPython URLs, and IPython will honor them. The user's browser will automatically send IPython cookies along with the requests. The response is blocked by the Same-Origin Policy, but the request isn't.

API paths with issues:

POST /api/contents/<path>/<file> POST /api/contents/<path>/<file>/checkpoints POST /api/contents/<path>/<file>/checkpoints/<checkpointid> POST /api/kernels POST /api/kernels/<kernelid>/<action> POST /api/sessions POST /api/clusters/<clusterid>/<action>

Upstream fixes: 2.x: https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0 3.x: https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816

CVE request: http://seclists.org/oss-sec/2015/q3/92

Red Hat

Affected Software

17 affected componentsFixes available
pip/ipython>=3.0.0<3.2.3
3.2.3
pip/ipython>=0.12<2.4.1
2.4.1
IPython IPython=2.0.0
IPython IPython=2.1.0
IPython IPython=2.2.0
IPython IPython=2.3.0
IPython IPython=2.3.1
IPython IPython=2.4.0
IPython IPython=2.4.1
IPython IPython=3.0.0
IPython IPython=3.1.0
IPython IPython=3.2.0
IPython IPython=3.2.1
IPython IPython=3.2.2
IPython IPython=3.2.3
Fedoraproject Fedora=21
Fedoraproject Fedora=22

Remediation

Patch Available

http://www.openwall.com/lists/oss-security/2015/07/21/3

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=1243842

Patch Available

https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816

Patch Available

https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0

Event History

Jul 16, 2015
Data Sourced
via Red Hat·12:56 PM
DescriptionSeverityAffected Software
Sep 20, 2017
CVE Published
via MITRE·04:00 PM
Data Sourced
via MITRE·04:00 PM
Description
Data Sourced
via NVD·04:29 PM
RemedyDescriptionSeverityWeaknessAffected Software
May 17, 2022
Advisory Published
via GitHub·12:35 AM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2015-5607?

CVE-2015-5607 has been classified as a medium severity vulnerability.

2

How do I fix CVE-2015-5607?

To fix CVE-2015-5607, upgrade to IPython version 2.4.1 or 3.2.3 or later.

3

Which versions of IPython are affected by CVE-2015-5607?

IPython versions 2.0.0 through 2.4.0 and 3.0.0 through 3.2.2 are affected by CVE-2015-5607.

4

What type of vulnerability is CVE-2015-5607?

CVE-2015-5607 is classified as a cross-site request forgery (CSRF) vulnerability.

5

Can I continue using IPython versions before 2.4.1 and 3.2.3?

Using IPython versions before 2.4.1 and 3.2.3 poses security risks due to the vulnerability identified in CVE-2015-5607.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203