GoogleOSV:GHSA-R726-VMFQ-J9J3Open Redirect Vulnerability in jupyter-server
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.5%
Impact
Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.
Patches
Upgrade to Jupyter Server 2.7.2
Workarounds
None.
References
Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
References
github.com/jupyter-server/jupyter_server
github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925
github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3
github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2023-155.yaml
lists.fedoraproject.org/archives/list/[email protected]/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ
lists.fedoraproject.org/archives/list/[email protected]/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF
nvd.nist.gov/vuln/detail/CVE-2023-39968
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
20.5%