8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
75.6%
What kind of vulnerability is it? Who is impacted?
We’d like to disclose an arbitrary code execution vulnerability in jupyter_core
that stems from jupyter_core
executing untrusted files in the current working directory. This vulnerability allows one user to run code as another.
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to jupyter_core>=4.11.2
.
Is there a way for users to fix or remediate the vulnerability without upgrading?
No
Are there any links users can visit to find out more?
Similar advisory in IPython
github.com/jupyter/jupyter_core
github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283
github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp
github.com/pypa/advisory-database/tree/main/vulns/jupyter-core/PYSEC-2022-42974.yaml
lists.debian.org/debian-lts-announce/2022/11/msg00022.html
lists.fedoraproject.org/archives/list/[email protected]/message/KKMP5OXXIX2QAUNVNJZ5UEQFKDYYJVBA
lists.fedoraproject.org/archives/list/[email protected]/message/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN
nvd.nist.gov/vuln/detail/CVE-2022-39286
security.gentoo.org/glsa/202301-04
www.debian.org/security/2023/dsa-5422