Lucene search

GoogleOSV:BIT-JUPYTERLAB-2024-22421

HistoryMar 06, 2024 - 10:54 a.m.

BIT-jupyterlab-2024-22421

2024-03-0610:54:03

Google

osv.dev

jupyterlab

extensible environment

interactive computing

reproducible computing

malicious link

authorization token

xsrftoken

jupyter-server

vulnerability fix

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

7.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.2%

JSON

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

CPENameOperatorVersion
jupyterlabge4.0.0
jupyterlablt3.6.7
jupyterlablt4.0.11

Name	Operator	Version
jupyterlab	ge	4.0.0
jupyterlab	lt	3.6.7
jupyterlab	lt	4.0.11

References

github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6

github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947

lists.fedoraproject.org/archives/list/[email protected]/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/