CVE-2024-22421

2024-01-1921:15:09

CWE-23

CWE-200

[email protected]

web.nvd.nist.gov

jupyterlab

cve-2024-22421

tokens

security vulnerability

jupyter notebook

jupyter-server

upgrade

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.2%

JSON

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

Affected configurations

Vulners

NVD

Node

jupyterlabjupyterlabRange<3.6.7

jupyterlabjupyterlabRange4.0.0–4.0.11

CPENameOperatorVersion
jupyter:jupyterlabjupyter jupyterlablt3.6.7
jupyter:jupyterlabjupyter jupyterlablt4.0.11
jupyter:notebookjupyter notebooklt7.0.7

CPE	Name	Operator	Version
jupyter:jupyterlab	jupyter jupyterlab	lt	3.6.7
jupyter:jupyterlab	jupyter jupyterlab	lt	4.0.11
jupyter:notebook	jupyter notebook	lt	7.0.7

CNA Affected

[
  {
    "vendor": "jupyterlab",
    "product": "jupyterlab",
    "versions": [
      {
        "version": "< 3.6.7",
        "status": "affected"
      },
      {
        "version": ">=4.0.0,< 4.0.11",
        "status": "affected"
      }
    ]
  }
]