Vulnerability Details : CVE-2023-40170
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
Vulnerability category: Cross site scripting (XSS)BypassGain privilege
Products affected by CVE-2023-40170
- cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-40170
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 35 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-40170
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | |
4.6
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
2.1
|
2.5
|
GitHub, Inc. |
CWE ids for CVE-2023-40170
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Secondary)
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security-advisories@github.com (Primary)
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-40170
-
https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd
Merge pull request from GHSA-64x5-55rw-9974 · jupyter-server/jupyter_server@87a4927 · GitHubPatch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/
[SECURITY] Fedora 38 Update: python-jupyter-server-2.1.0-2.fc38 - package-announce - Fedora Mailing-Lists
-
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974
cross-site inclusion (XSSI) of files · Advisory · jupyter-server/jupyter_server · GitHubVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
[SECURITY] Fedora 39 Update: python-jupyter-server-2.7.2-1.fc39 - package-announce - Fedora Mailing-Lists
Jump to