Описание
Open Redirect Vulnerability in jupyter-server
Impact
Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.
Patches
Upgrade to Jupyter Server 2.7.2
Workarounds
None.
References
Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
Ссылки
- https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3
- https://nvd.nist.gov/vuln/detail/CVE-2023-39968
- https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925
- https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak
- https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2023-155.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF
Пакеты
jupyter-server
< 2.7.2
2.7.2
Связанные уязвимости
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
jupyter-server is the backend for Jupyter web applications. Open Redir ...