Описание
Execution with Unnecessary Privileges in JupyterApp
Impact
What kind of vulnerability is it? Who is impacted?
We’d like to disclose an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in the current working directory. This vulnerability allows one user to run code as another.
Patches
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to jupyter_core>=4.11.2.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? No
References
Are there any links users can visit to find out more? Similar advisory in IPython
Ссылки
- https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp
- https://nvd.nist.gov/vuln/detail/CVE-2022-39286
- https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283
- https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-core/PYSEC-2022-42974.yaml
- https://lists.debian.org/debian-lts-announce/2022/11/msg00022.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KKMP5OXXIX2QAUNVNJZ5UEQFKDYYJVBA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN
- https://security.gentoo.org/glsa/202301-04
- https://www.debian.org/security/2023/dsa-5422
Пакеты
jupyter-core
< 4.11.2
4.11.2
EPSS
8.7 High
CVSS4
8.8 High
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.
Jupyter Core is a package for the core common functionality of Jupyter ...
Уязвимость ядра Jupyter Core среды интерактивной разработки и выполнения кода Jupyter Notebook, позволяющая нарушителю раскрыть защищаемую информацию, загружать и выполнять код с повышенными привилегиями
EPSS
8.7 High
CVSS4
8.8 High
CVSS3