Path to dependency file: /jupyter-scipy/requirements.txt
Path to vulnerable library: /jupyter-scipy/requirements.txt,/jupyter-scipy/requirements.txt,/jupyter-pytorch-full/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter-pytorch-full/requirements.txt
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
CVE-2023-40170 - Medium Severity Vulnerability
The backend—i.e. core services, APIs, and REST endpoints—to Jupyter web applications.
Library home page: https://files.pythonhosted.org/packages/1d/c4/2c22ebce27b5b51b19c09fd99a027eefb2bf72184afea58e7ccfbfd46166/jupyter_server-1.23.6-py3-none-any.whl
Path to dependency file: /jupyter-scipy/requirements.txt
Path to vulnerable library: /jupyter-scipy/requirements.txt,/jupyter-scipy/requirements.txt,/jupyter-pytorch-full/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter/requirements.txt,/jupyter-tensorflow-full/requirements.txt,/jupyter-pytorch-full/requirements.txt
Dependency Hierarchy: - :x: **jupyter_server-1.23.6-py3-none-any.whl** (Vulnerable Library)
Found in base branch: master
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
Publish Date: 2023-08-28
URL: CVE-2023-40170
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40170
Release Date: 2023-08-28
Fix Resolution: 2.7.2
Step up your Open Source Security Game with Mend here