CVE-2023-39968

EUVD-2023-0102
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
GitHub_MCNA
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
Affected Products (NVD)
VendorProductVersion
jupyterjupyter_server
𝑥
< 2.7.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jupyter-server
bookworm
no-dsa
bullseye
no-dsa
sid
2.14.2-5
fixed
trixie
2.14.2-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jupyter-server
bionic
ignored
focal
dne
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/
https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/