pysec-2023-155
Vulnerability from pysec
Published
2023-08-28 21:15
Modified
2023-09-01 16:31
Severity ?
Details
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit 29036259
which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Aliases
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "jupyter-server", "purl": "pkg:pypi/jupyter-server" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "290362593b2ffb23c59f8114d76f77875de4b925" } ], "repo": "https://github.com/jupyter-server/jupyter_server", "type": "GIT" }, { "events": [ { "introduced": "0" }, { "fixed": "2.7.2" } ], "type": "ECOSYSTEM" } ], "versions": [ "0.0.0", "0.0.1", "0.0.2", "0.0.3", "0.0.4", "0.0.5", "0.1.0", "0.1.1", "0.2.0", "0.2.1", "0.3.0", "1.0.0", "1.0.0rc0", "1.0.0rc1", "1.0.0rc10", "1.0.0rc11", "1.0.0rc12", "1.0.0rc13", "1.0.0rc14", "1.0.0rc15", "1.0.0rc16", "1.0.0rc2", "1.0.0rc3", "1.0.0rc4", "1.0.0rc5", "1.0.0rc6", "1.0.0rc7", "1.0.0rc8", "1.0.0rc9", "1.0.1", "1.0.10", "1.0.11", "1.0.2", "1.0.3", "1.0.4", "1.0.5", "1.0.6", "1.0.7", "1.0.8", "1.0.9", "1.1.0", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.10.0", "1.10.1", "1.10.2", "1.11.0", "1.11.1", "1.11.2", "1.12.0", "1.12.1", "1.13.0", "1.13.1", "1.13.2", "1.13.3", "1.13.4", "1.13.5", "1.15.0", "1.15.1", "1.15.2", "1.15.3", "1.15.4", "1.15.5", "1.15.6", "1.16.0", "1.17.0", "1.17.1", "1.18.0", "1.18.1", "1.19.0", "1.19.1", "1.2.0", "1.2.1", "1.2.2", "1.2.3", "1.21.0", "1.23.0", "1.23.1", "1.23.2", "1.23.3", "1.23.4", "1.23.5", "1.23.6", "1.24.0", "1.3.0", "1.4.0", "1.4.1", "1.5.0", "1.5.1", "1.6.0", "1.6.1", "1.6.2", "1.6.3", "1.6.4", "1.7.0", "1.7.0a1", "1.7.0a2", "1.8.0", "1.9.0", "2.0.0", "2.0.0a0", "2.0.0a1", "2.0.0a2", "2.0.0b0", "2.0.0b1", "2.0.0rc0", "2.0.0rc1", "2.0.0rc2", "2.0.0rc3", "2.0.0rc4", "2.0.0rc5", "2.0.0rc6", "2.0.0rc7", "2.0.0rc8", "2.0.1", "2.0.2", "2.0.3", "2.0.4", "2.0.5", "2.0.6", "2.0.7", "2.1.0", "2.2.0", "2.2.1", "2.3.0", "2.4.0", "2.5.0", "2.6.0", "2.7.0", "2.7.1" ] } ], "aliases": [ "CVE-2023-39968", "GHSA-r726-vmfq-j9j3" ], "details": "jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "id": "PYSEC-2023-155", "modified": "2023-09-01T16:31:48.441782+00:00", "published": "2023-08-28T21:15:00+00:00", "references": [ { "type": "FIX", "url": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925" }, { "type": "ADVISORY", "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.