CVE-2023-40170
Summary
| CVE | CVE-2023-40170 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-08-28 21:15:00 UTC |
|---|
| Updated | 2023-09-15 22:15:00 UTC |
|---|
| Description | jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| [SECURITY] Fedora 38 Update: python-jupyter-server-2.1.0-2.fc38 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| [SECURITY] Fedora 39 Update: python-jupyter-server-2.7.2-1.fc39 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| Merge pull request from GHSA-64x5-55rw-9974 · jupyter-server/jupyter_server@87a4927 · GitHub |
MISC |
github.com |
|
| cross-site inclusion (XSSI) of files · Advisory · jupyter-server/jupyter_server · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 285278 Fedora Security Update for python (FEDORA-2023-3d77cfc654)
- 506102 Alpine Linux Security Update for jupyter-server
