Lucene search

K
githubGitHub Advisory DatabaseGHSA-R726-VMFQ-J9J3
HistoryAug 29, 2023 - 11:34 p.m.

Open Redirect Vulnerability in jupyter-server

2023-08-2923:34:22
CWE-601
GitHub Advisory Database
github.com
14
jupyter server
open redirect
vulnerability
login links
arbitrary sites
fixed
version 2.7.2
bug bounty program

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.4%

Impact

Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.

Patches

Upgrade to Jupyter Server 2.7.2

Workarounds

None.

References

Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

Affected configurations

Vulners
Node
jupyterjupyter_serverRange<2.7.2
CPENameOperatorVersion
jupyter-serverlt2.7.2

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.4%