Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
vulnrichmentGitHub_MVULNRICHMENT:CVE-2024-28233
HistoryMar 27, 2024 - 6:16 p.m.

CVE-2024-28233 XSS in JupyterHub via Self-XSS leveraged by Cookie Tossing

2024-03-2718:16:24
CWE-79
CWE-565
CWE-352
GitHub_M
github.com
4
jupyterhub
xss
cookie tossing
vulnerability
multi-user server
api
subdomain

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

7.6

Confidence

High

SSVC

Exploitation

none

Automatable

no

Technical Impact

total

JSON

JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former’s session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user’s single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. This vulnerability is fixed in 4.1.0.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:jupyterhub:jupyterhub:*:*:*:*:*:*:*:*"
    ],
    "vendor": "jupyterhub",
    "product": "jupyterhub",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "4.1.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Related

veracode 1
cvelist 1
ubuntucve 1
osv 3
nvd 1
cve 1
github 1
debiancve 1
ibm 2
veracode
veracode
Cross Site Scripting (XSS)
2024-03-29 14:59:06
cvelist
cvelist
CVE-2024-28233 XSS in JupyterHub via Self-XSS leveraged by Cookie Tossing
2024-03-27 18:16:24
ubuntucve
ubuntucve
CVE-2024-28233
2024-03-27 00:00:00
osv
osv
Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing
2024-03-28 17:08:10
CVE-2024-28233
2024-03-27 19:15:48
BIT-jupyterhub-2024-28233
2024-04-03 10:52:35
nvd
nvd
CVE-2024-28233
2024-03-27 19:15:48
cve
cve
CVE-2024-28233
2024-03-27 19:15:48
github
github
Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing
2024-03-28 17:08:10
debiancve
debiancve
CVE-2024-28233
2024-03-27 19:15:48
ibm
ibm
Security Bulletin: IBM Cognos Analytics has addressed security vulnerabilities in JupyterHub, R Programming Language and Apache MINA (CVE-2024-28233, CVE-2024-27322, CVE-2019-0231, CVE-2021-41973)
2024-06-27 22:33:39
Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities
2024-06-27 22:37:10

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

AI Score

7.6

Confidence

High

SSVC

Exploitation

none

Automatable

no

Technical Impact

total

JSON
Related for VULNRICHMENT:CVE-2024-28233
veracode1cvelist1ubuntucve1osv3nvd1cve1github1debiancve1ibm2