jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
CVE-2023-40170 - Medium Severity Vulnerability
Vulnerable Library - jupyter_server-1.24.0-py3-none-any.whl
The backend—i.e. core services, APIs, and REST endpoints—to Jupyter web applications.
Library home page: https://files.pythonhosted.org/packages/5b/ce/142bcb35ffe215d8880e968689ab733bd7976a6c20dae24b6782cce2219a/jupyter_server-1.24.0-py3-none-any.whl
Path to dependency file: /jupyter-conda-22-04/files/etc/jupyter/requirements.txt
Path to vulnerable library: /jupyter-conda-22-04/files/etc/jupyter/requirements.txt
Dependency Hierarchy: - jupyterlab_lsp-3.10.2-py3-none-any.whl (Root Library) - jupyter_lsp-1.5.1-py3-none-any.whl - :x: **jupyter_server-1.24.0-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 6b247e0983d2f20a95b630486ea47b527c663ebb
Found in base branch: master
Vulnerability Details
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
Publish Date: 2023-08-28
URL: CVE-2023-40170
CVSS 3 Score Details (6.1)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-40170
Release Date: 2023-08-28
Fix Resolution (jupyter-server): 2.7.2
Direct dependency fix Resolution (jupyterlab-lsp): 4.0.0
Step up your Open Source Security Game with Mend here