Vulnerability Details : CVE-2019-10255
An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.
Vulnerability category: Open redirect
Products affected by CVE-2019-10255
- cpe:2.3:a:jupyter:notebook:*:*:*:*:*:*:*:*
- cpe:2.3:a:jupyter:jupyterhub:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10255
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10255
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-10255
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-10255
-
https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4
Open Redirect Vulnerability in Jupyter notebook, JupyterHubVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/
[SECURITY] Fedora 29 Update: python-notebook-5.7.8-1.fc29 - package-announce - Fedora Mailing-Lists
-
https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029a8ed
changelog for redirect check · jupyter/notebook@d65328d · GitHubPatch;Third Party Advisory
-
https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb
protect against chrome mishandling backslash as slash in URLs · jupyter/notebook@08c4c89 · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/
[SECURITY] Fedora 30 Update: python-notebook-5.7.8-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913b
parse urls when validating redirect targets · jupyter/notebook@70fe9f0 · GitHubPatch;Third Party Advisory
-
https://github.com/jupyter/notebook/compare/05aa4b2...16cf97c
Comparing 05aa4b2...16cf97c · jupyter/notebook · GitHubThird Party Advisory;Patch
Jump to