CVE-2023-39968 : jupyter-server is the backend for Jupyter web applications. Open Redirect Vulner

jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published 2023-08-28 21:15:08

Updated 2023-09-15 22:15:14

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Open redirect

Products affected by CVE-2023-39968

Jupyter » Jupyter Server
Versions before (<) 2.7.2
cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-39968

EPSS FAQ

0.40%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 59 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-39968

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N	2.8	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2023-39968

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2023-39968

https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3

Open Redirect Vulnerability · Advisory · jupyter-server/jupyter_server · GitHub
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/

[SECURITY] Fedora 38 Update: python-jupyter-server-2.1.0-2.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/

[SECURITY] Fedora 39 Update: python-jupyter-server-2.7.2-1.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925

Merge pull request from GHSA-r726-vmfq-j9j3 · jupyter-server/jupyter_server@2903625 · GitHub
Patch

Jump to

Vulnerability Details : CVE-2023-39968

Products affected by CVE-2023-39968

Exploit prediction scoring system (EPSS) score for CVE-2023-39968

CVSS scores for CVE-2023-39968

CWE ids for CVE-2023-39968

References for CVE-2023-39968