CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32428 – Jupyter Remote Desktop Proxy makes TigerVNC accessible via the network and not just via a UNIX socket as intended
https://notcve.org/view.php?id=CVE-2025-32428
14 Apr 2025 — Jupyter Remote Desktop Proxy allows you to run a Linux Desktop on a JupyterHub. jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network. This vulnerability does not affect users having TurboVNC as the vncserver executable. This issue is fixed in 3.0.1. • https://github.com/jupyterhub/jupyter-remote-desktop-proxy/commit/7dd54c25a4253badd8ea68895437e5a66a59090d • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25574 – JupyterHub's LTI13Authenticator: JWT signature not validated
https://notcve.org/view.php?id=CVE-2023-25574
25 Feb 2025 — `jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. • https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41942 – JupyterHub has a privilege escalation vulnerability with the `admin:users` scope
https://notcve.org/view.php?id=CVE-2024-41942
08 Aug 2024 — JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to th... • https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428 • CWE-274: Improper Handling of Insufficient Privileges •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37300 – Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
https://notcve.org/view.php?id=CVE-2024-37300
12 Jun 2024 — OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because `allow_all` did not take precedence over `identity_provider`. Since JupyterHub 5.0, `allow_all` does take precedence over `identity_provider`. On a hub with the same config, now all users will be allowed to login, regardle... • https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654 • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-35225 – Jupyter Server Proxy has a reflected XSS issue in host parameter
https://notcve.org/view.php?id=CVE-2024-35225
11 Jun 2024 — Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them. Versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 have a reflected cross-site scripting (XSS) issue. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28233 – XSS in JupyterHub via Self-XSS leveraged by Cookie Tossing
https://notcve.org/view.php?id=CVE-2024-28233
27 Mar 2024 — JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user's single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either th... • https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29033 – GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace
https://notcve.org/view.php?id=CVE-2024-29033
20 Mar 2024 — OAuthenticator provides plugins for JupyterHub to use common OAuth providers, as well as base classes for writing one's own Authenticators with any OAuth 2.0 provider. `GoogleOAuthenticator.hosted_domain` is used to restrict what Google accounts can be authorized access to a JupyterHub. The restriction is intented to be to Google accounts part of one or more Google organization verified to control specified domain(s). Prior to version 16.3.0, the actual restriction has been to Google accounts with emails en... • https://github.com/jupyterhub/oauthenticator/commit/5246b09675501b09fb6ed64022099b7644812f60 • CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-28179 – Jupyter Server Proxy's Websocket Proxying does not require authentication
https://notcve.org/view.php?id=CVE-2024-28179
20 Mar 2024 — Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. ... • https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41194 – Improper Access Control in jupyterhub-firstuseauthenticator
https://notcve.org/view.php?id=CVE-2021-41194
28 Oct 2021 — FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation e... • https://github.com/jupyterhub/firstuseauthenticator/pull/38 • CWE-284: Improper Access Control •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39160 – Code injection in nbgitpuller
https://notcve.org/view.php?id=CVE-2021-39160
25 Aug 2021 — nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade. nbgitpuller es una extensión del servidor Jupyter para sincronizar un repositorio git de forma unidireccional a una ruta local. Debido a una entrada no saneada, v... • https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102---2021-08-25 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •