CVE-2023-40170

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-40170
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.

4.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd Patch
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/
https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd Patch
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/
Configurations

Configuration 1 (hide)

cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*
History

21 Nov 2024, 08:18

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1 		v2 : unknown
v3 : 4.6
References () https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd - Patch () https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd - Patch
References () https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 - Vendor Advisory () https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 - Vendor Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/ -
References () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/ - () https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/ -

15 Sep 2023, 22:15

Type Values Removed Values Added
References
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/ -

09 Sep 2023, 03:15

Type Values Removed Values Added
CWE CWE-79 CWE-284
CWE-306
References
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/ -

01 Sep 2023, 18:36

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.1
CWE CWE-284
CWE-306		 CWE-79
References (MISC) https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 - (MISC) https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 - Vendor Advisory
References (MISC) https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd - (MISC) https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd - Patch
First Time Jupyter jupyter Server
Jupyter
CPE cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*

28 Aug 2023, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-08-28 21:15

Updated : 2024-11-21 08:18

NVD link : CVE-2023-40170

Mitre link : CVE-2023-40170

CVE.ORG link : CVE-2023-40170

JSON object : View

Products Affected

jupyter

  • jupyter_server
CWE
CWE-284

Improper Access Control

CWE-306

Missing Authentication for Critical Function

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024