// For flags

CVE-2022-21697

SSRF vulnerability (requires authentication)

Severity Score

7.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the `allowed_hosts` check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.

Jupyter Server Proxy es una extensión del servidor de cuadernos Jupyter para proxy de servicios web. Las versiones de Jupyter Server Proxy anteriores a la 3.2.1 son vulnerables a un ataque de tipo Server-Side Request Forgery (SSRF). Cualquier usuario que despliegue Jupyter Server o Notebook con la extensión jupyter-proxy-server habilitada está afectado. Una falta de comprobación de la entrada permite a clientes autenticados enviar peticiones a otros hosts, omitiendo la comprobación "allowed_hosts". Debido a que es requerida la autenticación, que ya otorga permisos para realizar las mismas peticiones por medio del kernel o de la ejecución del terminal, esto es considerado de gravedad baja a moderada. Los usuarios pueden actualizar a la versión 3.2.1 para recibir un parche o, como medida de mitigación, instalar el parche manualmente

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-16 CVE Reserved
  • 2022-01-25 CVE Published
  • 2023-11-14 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Jupyter
Search vendor "Jupyter"
Jupyter Server Proxy
Search vendor "Jupyter" for product "Jupyter Server Proxy"
< 3.2.1
Search vendor "Jupyter" for product "Jupyter Server Proxy" and version " < 3.2.1"
-
Affected