ghsa-fvcq-4x64-hqxr
Vulnerability from github
Published
2024-06-11 21:12
Modified
2025-02-28 17:38
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Jupyter Server Proxy has a reflected XSS issue in host parameter
Details

Impact

There is a reflected cross-site scripting (XSS) issue in jupyter-server-proxy[1]. The /proxy endpoint accepts a host path segment in the format /proxy/<host>. When this endpoint is called with an invalid host value, jupyter-server-proxy replies with a response that includes the value of host, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid host value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of GET /proxy/<host>, which runs the custom JavaScript contained in host set by the actor. As any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. This issue exists in the latest release of jupyter-server-proxy, currently v4.1.2. Impacted versions: >=3.0.0,<=4.1.2

Patches

The patches are included in ==4.2.0 and ==3.2.4.

Workarounds

Server operators who are unable to upgrade can disable the jupyter-server-proxy extension with:

jupyter server extension disable jupyter-server-proxy

References

[1] : https://github.com/jupyterhub/jupyter-server-proxy/ [2] : https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.2.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-11T21:12:47Z",
    "nvd_published_at": "2024-06-11T22:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThere is a reflected cross-site scripting (XSS) issue in `jupyter-server-proxy`[1]. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/\u003chost\u003e`. When this endpoint is called with an invalid `host` value, `jupyter-server-proxy` replies with a response that includes the value of `host`, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid `host` value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of `GET /proxy/\u003chost\u003e`, which runs the custom JavaScript contained in `host` set by the actor.\nAs any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user\u0027s JupyterLab instance for an actor. This issue exists in the latest release of `jupyter-server-proxy`, currently `v4.1.2`.\n**Impacted versions:** `\u003e=3.0.0,\u003c=4.1.2`\n\n### Patches\n\nThe patches are included in `==4.2.0` and `==3.2.4`.\n\n### Workarounds\n\nServer operators who are unable to upgrade can disable the `jupyter-server-proxy` extension with:\n\n```\njupyter server extension disable jupyter-server-proxy\n```\n\n### References\n\n[1] : https://github.com/jupyterhub/jupyter-server-proxy/\n[2] : https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328",
  "id": "GHSA-fvcq-4x64-hqxr",
  "modified": "2025-02-28T17:38:13Z",
  "published": "2024-06-11T21:12:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/7abc9dc5bbb0b4b440548a5375261b8b8192fc22"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/ff78128087e73fb9d0909e1366f8bf051e8ea878"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server-proxy/PYSEC-2024-236.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jupyter Server Proxy has a reflected XSS issue in host parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.