ALT-PU-2023-8688-1

Package update python3-module-jupyter_server in branch sisyphus

Version2.7.2-alt1

Published2023-08-18

Max severityMEDIUM

Severity:

Closed issues (4)

MEDIUM6.1

jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: 2023-08-28Modified: 2024-11-21

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

MEDIUM6.1

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.

Published: 2023-08-28Modified: 2024-11-21

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

GHSA-64x5-55rw-9974

MEDIUM4.6

cross-site inclusion (XSSI) of files in jupyter-server

Published: 2023-08-30

CVSS 3.xMEDIUM 4.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

GHSA-r726-vmfq-j9j3

MEDIUM5.3

Open Redirect Vulnerability in jupyter-server

Published: 2023-08-30Modified: 2024-09-24

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS 4.0MEDIUM 5.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References