jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-39968 - Medium Severity Vulnerability
Vulnerable Library - jupyter_server-1.24.0-py3-none-any.whl
The backend—i.e. core services, APIs, and REST endpoints—to Jupyter web applications.
Library home page: https://files.pythonhosted.org/packages/5b/ce/142bcb35ffe215d8880e968689ab733bd7976a6c20dae24b6782cce2219a/jupyter_server-1.24.0-py3-none-any.whl
Path to dependency file: /jupyter-conda-22-04/files/etc/jupyter/requirements.txt
Path to vulnerable library: /jupyter-conda-22-04/files/etc/jupyter/requirements.txt
Dependency Hierarchy: - jupyterlab_lsp-3.10.2-py3-none-any.whl (Root Library) - jupyter_lsp-1.5.1-py3-none-any.whl - :x: **jupyter_server-1.24.0-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 6b247e0983d2f20a95b630486ea47b527c663ebb
Found in base branch: master
Vulnerability Details
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2023-08-28
URL: CVE-2023-39968
CVSS 3 Score Details (6.1)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-39968
Release Date: 2023-08-28
Fix Resolution (jupyter-server): 2.7.2
Direct dependency fix Resolution (jupyterlab-lsp): 4.0.0
Step up your Open Source Security Game with Mend here