Main Vulnerability Database Vulnerabilities #VU80088

Improper access control in Jupyter Server - CVE-2023-40170

Published: August 29, 2023

Vulnerability identifier: #VU80088

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-40170

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Jupyter Server

Software vendor:
Jupyter

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper cross-site credential checks on "/files/" URLs. A remote attacker can gain access to certain file contents, or access files when opening untrusted files via "Open image in new tab".

Remediation

Install updates from vendor's website.

External links

https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974
https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd

Improper access control in Jupyter Server - CVE-2023-40170

Description

Remediation

External links

Please verify you're human