Severity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 14 pypi packages depend on jupyter-core (14 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.8.1.
DescriptionGitHub Advisory
Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users; or as administrator, create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions; or as user or administrator, set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user).
AnalysisAI
A security vulnerability in Jupyter Core (CVSS 7.3) that allows users. High severity vulnerability requiring prompt remediation.
Technical ContextAI
CWE-427 (Uncontrolled Search Path). CVSS 7.3 indicates high severity. Affects Jupyter Core.
RemediationAI
Monitor vendor channels for patch availability.
More in Jupyter Core
View allSame weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Authentication Bypass
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye (security), bullseye | fixed | 4.7.1-1+deb11u1 | - |
| bookworm | fixed | 4.12.0-1 | - |
| trixie | fixed | 5.7.2-5 | - |
| forky, sid | fixed | 5.9.1-1 | - |
| (unstable) | not-affected | - | - |
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-16771
GHSA-33p9-3p43-82vq