CVE-2023-39968

Open Redirect Vulnerability in jupyter-server

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

jupyter-server es el backend de las aplicaciones web de Jupyter. Vulnerabilidad de Redireccionamiento Abierto. Los enlaces de inicio de sesión creados maliciosamente a servidores Jupyter conocidos pueden provocar que un inicio de sesión exitoso o una sesión ya iniciada sea redirigida a sitios arbitrarios, que deben restringirse a las URL servidas por Jupyter Server. Este problema se solucionó en el commit "29036259", que se incluye en la versión 2.7.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-07 CVE Reserved
2023-08-28 CVE Published
2024-09-29 EPSS Updated
2024-09-30 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CAPEC

References (4)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF

URL	Date	SRC

URL	Date	SRC
https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925	2023-09-15

URL	Date	SRC
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3	2023-09-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jupyter Search vendor "Jupyter"		Jupyter Server Search vendor "Jupyter" for product "Jupyter Server"				< 2.7.2 Search vendor "Jupyter" for product "Jupyter Server" and version " < 2.7.2"		-		Affected