===================================================================== CERT-Renater Note d'Information No. 2023/VULN271 _____________________________________________________________________ DATE : 30/08/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Jupyter Server versions prior to 2.7.2. ===================================================================== https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3 https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 _____________________________________________________________________ Open Redirect Vulnerability Moderate Zsailer published GHSA-r726-vmfq-j9j3 Package jupyter-server (pip) Affected versions < 2.7.2 Patched versions 2.7.2 Description Impact Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. Patches Upgrade to Jupyter Server 2.7.1 Workarounds None. References Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform. https://blog.xss.am/2023/08/CVE-2023-39968-jupyter-token-leak/ Severity Moderate 4.3/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality Low Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVE ID CVE-2023-39968 Weaknesses CWE-601 Credits @davwwwx davwwwx _____________________________________________________________________ cross-site inclusion (XSSI) of files Moderate Zsailer published GHSA-64x5-55rw-9974 Package jupyter-server (pip) Affected versions < 2.7.2 Patched versions 2.7.2 Description Impact Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". Patches Jupyter Server 2.7.1 Workarounds Use lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler, which implements the correct checks. References Upstream patch for CVE-2019-9644 was not applied completely, leaving part of the vulnerability open. Vulnerability reported by Tim Coen via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform. Severity Moderate CVE ID CVE-2023-40170 Weaknesses CWE-284 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================