6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
71.0%
Jupyter blog:
Login pages tend to take a parameter for redirecting back to a page
after successful login, e.g. /login?next=/notebooks/mynotebook.ipynb, so
that you aren’t disrupted too much if you try to visit a page, but have
to authenticate first. An Open Redirect Vulnerability is when a
malicious person crafts a link pointing to the login page of a trusted
site, but setting the “redirect after successful login” parameter to
send the user to their own site, instead of a page on the authenticated
site (the notebook or JupyterHub server), e.g.
/login?next=http://badwebsite.biz. This doesn’t necessarily compromise
anything immediately, but it enables phishing if users don’t notice
that the domain has changed, e.g. by showing a fake “re-enter your
password” page. Servers generally have to validate the redirect URL to
avoid this. Both JupyterHub and Notebook already do this, but the
validation didn’t take into account all possible ways to redirect to
other sites, so some malicious URLs could still be crafted to redirect
away from the server (the above example does not work in any recent
version of either package). Only certain browsers (Chrome and Firefox,
not Safari) could be redirected from the JupyterHub login page, but all
browsers could be redirected away from a standalone notebook server.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | py27-notebook | < 5.7.8 | UNKNOWN |
FreeBSD | any | noarch | py35-notebook | < 5.7.8 | UNKNOWN |
FreeBSD | any | noarch | py36-notebook | < 5.7.8 | UNKNOWN |
FreeBSD | any | noarch | py37-notebook | < 5.7.8 | UNKNOWN |
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
71.0%