Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
CVE-2022-39286 - High Severity Vulnerability
Jupyter core package. A base package on which Jupyter projects rely.
Library home page: https://files.pythonhosted.org/packages/63/0d/df2d17cdf389cea83e2efa9a4d32f7d527ba78667e0153a8e676e957b2f7/jupyter_core-4.6.3-py2.py3-none-any.whl
Path to dependency file: /tmp/ws-scm/Container-Security-With-JenkinsCI/requirements.txt
Path to vulnerable library: /tmp/ws-scm/Container-Security-With-JenkinsCI/requirements.txt
Dependency Hierarchy: - notebook-5.4.0-py2.py3-none-any.whl (Root Library) - :x: **jupyter_core-4.6.3-py2.py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
Publish Date: 2022-10-26
URL: CVE-2022-39286
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3363
Release Date: 2022-10-26
Fix Resolution (jupyter-core): 4.11.2
Direct dependency fix Resolution (notebook): 5.4.1
Step up your Open Source Security Game with Mend here