CVE-2022-21697
SSRF vulnerability (requires authentication)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the `allowed_hosts` check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.
Jupyter Server Proxy es una extensión del servidor de cuadernos Jupyter para proxy de servicios web. Las versiones de Jupyter Server Proxy anteriores a la 3.2.1 son vulnerables a un ataque de tipo Server-Side Request Forgery (SSRF). Cualquier usuario que despliegue Jupyter Server o Notebook con la extensión jupyter-proxy-server habilitada está afectado. Una falta de comprobación de la entrada permite a clientes autenticados enviar peticiones a otros hosts, omitiendo la comprobación "allowed_hosts". Debido a que es requerida la autenticación, que ya otorga permisos para realizar las mismas peticiones por medio del kernel o de la ejecución del terminal, esto es considerado de gravedad baja a moderada. Los usuarios pueden actualizar a la versión 3.2.1 para recibir un parche o, como medida de mitigación, instalar el parche manualmente
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-16 CVE Reserved
- 2022-01-25 CVE Published
- 2023-11-14 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-gcv9-6737-pjqw | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jupyter Search vendor "Jupyter" | Jupyter Server Proxy Search vendor "Jupyter" for product "Jupyter Server Proxy" | < 3.2.1 Search vendor "Jupyter" for product "Jupyter Server Proxy" and version " < 3.2.1" | - |
Affected
|