Jupyter Server
CVE-2023-40170
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit 87a49272728 which has been included in release 2.7.2. Users are advised to upgrade. Users unable to upgrade may use the lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler, which implements the correct checks.
AnalysisAI
jupyter-server is the backend for Jupyter web applications. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-284. jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit 87a49272728 which has been included in release 2.7.2. Users are advised to upgrade. Users unable to upgrade may use the lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler, which implements the correct checks. Affected products include: Jupyter Jupyter Server.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Jupyter Server
View allThe Jupyter Server provides the backend (i.e. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitab
Jupyter Server provides the backend (i.e. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, lo
The Jupyter Server provides the backend for Jupyter web applications. Rated high severity (CVSS 7.5), this vulnerability
The Jupyter Server provides the backend (i.e. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable
jupyter-server is the backend for Jupyter web applications. Rated medium severity (CVSS 6.1), this vulnerability is remo
Jupyter Server before version 1.0.6 has an Open redirect vulnerability. Rated medium severity (CVSS 5.4), this vulnerabi
The Jupyter Server provides the backend (i.e. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitab
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today