GitHub_MCVELIST:CVE-2024-22421CVE-2024-22421 Potential authentication and CSRF tokens leak in JupyterLab
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
28.2%
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.
CNA Affected
[
{
"vendor": "jupyterlab",
"product": "jupyterlab",
"versions": [
{
"version": "< 3.6.7",
"status": "affected"
},
{
"version": ">=4.0.0,< 4.0.11",
"status": "affected"
}
]
}
]Related
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
28.2%