Lucene search

K
ubuntucveUbuntu.comUB:CVE-2024-22421
HistoryJan 19, 2024 - 12:00 a.m.

CVE-2024-22421

2024-01-1900:00:00
ubuntu.com
ubuntu.com
11
jupyterlab
vulnerability
cve-2024-22421
'authorization'
'xsrftoken'
tokens
third party
jupyter-server
version 2.7.2

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

7.3 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

28.1%

JupyterLab is an extensible environment for interactive and reproducible
computing, based on the Jupyter Notebook and Architecture. Users of
JupyterLab who click on a malicious link may get their Authorization and
XSRFToken tokens exposed to a third party when running an older
jupyter-server version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7
are patched. No workaround has been identified, however users should ensure
to upgrade jupyter-server to version 2.7.2 or newer which includes a
redirect vulnerability fix.

Notes

Author Note
sbeattie code appears to be introduced in jupyter-notebook 7.0 jupyter-server 2.7.2 fix is CVE-2023-39968

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

7.3 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

28.1%