Jupyter nbgrader Content Extraction Vulnerability via Frame-Ancestors Directive

A vulnerability in Jupyter nbgrader has been identified, allowing users to extract content from the formgrader component by exploiting the Content Security Policy (CSP) frame-ancestors directive. This issue arises when JupyterHub is configured with 'enable_subdomains = False', the default setting. The vulnerability allows a user to craft a page that embeds formgrader in an iframe. When another user visits this page, their credentials are sent, and formgrader is loaded, giving the first user full access to the second user's formgrader content via JavaScript. This vulnerability affects nbgrader version 0.9.4 and has been patched in version 0.9.5.

Impact

Exploitation of this vulnerability allows for unauthorized access to formgrader content, potentially leading to a breach of user privacy and integrity of the grading process.

Reproduction

To reproduce this vulnerability, a user must first disable the 'frame-ancestors: self' directive in their JupyterHub configuration. Then, they can create a page that embeds the formgrader component in an iframe. When another user visits this page, the vulnerability is triggered, as their credentials are used to access formgrader content.

Remediation

Users are advised to upgrade to Jupyter nbgrader version 0.9.5. If an upgrade is not possible, the 'frame-ancestors: self' directive can be disabled, or JupyterHub subdomains can be enabled with 'JupyterHub.enable_subdomains = True'.