search

vital-ws / vulnerable

0 stars 2 forks source link

jupyter_core-4.10.0-py3-none-any.whl: 1 vulnerabilities (highest severity is: 8.8) - autoclosed #173

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - jupyter_core-4.10.0-py3-none-any.whl

Jupyter core package. A base package on which Jupyter projects rely.

Library home page: https://files.pythonhosted.org/packages/34/7d/8e442c0637a648c0136f686e015dc2f547f1a19f2690b183aa340a6762bc/jupyter_core-4.10.0-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/empty/requirements.txt

Path to vulnerable library: /tmp/ws-scm/empty/requirements.txt,/requirements.txt

Found in HEAD commit: fe36bb1fd10cd84fc97be22839bac52fb2466fd7

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jupyter_core version) Remediation Available
CVE-2022-39286 High 8.8 jupyter_core-4.10.0-py3-none-any.whl Direct jupyter-core - 4.11.2

Details

CVE-2022-39286 ### Vulnerable Library - jupyter_core-4.10.0-py3-none-any.whl

Jupyter core package. A base package on which Jupyter projects rely.

Library home page: https://files.pythonhosted.org/packages/34/7d/8e442c0637a648c0136f686e015dc2f547f1a19f2690b183aa340a6762bc/jupyter_core-4.10.0-py3-none-any.whl

Path to dependency file: /tmp/ws-scm/empty/requirements.txt

Path to vulnerable library: /tmp/ws-scm/empty/requirements.txt,/requirements.txt

Dependency Hierarchy: - :x: **jupyter_core-4.10.0-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: fe36bb1fd10cd84fc97be22839bac52fb2466fd7

Found in base branch: main

### Vulnerability Details

Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.

Publish Date: 2022-10-26

URL: CVE-2022-39286

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3363

Release Date: 2022-10-26

Fix Resolution: jupyter-core - 4.11.2

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.