Skip to content

Open Redirect Vulnerability in jupyter-server

Moderate severity GitHub Reviewed Published Aug 28, 2023 in jupyter-server/jupyter_server • Updated Jul 3, 2024

Package

pip jupyter-server (pip)

Affected versions

< 2.7.2

Patched versions

2.7.2

Description

Impact

Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.

Patches

Upgrade to Jupyter Server 2.7.2

Workarounds

None.

References

Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

References

@Zsailer Zsailer published to jupyter-server/jupyter_server Aug 28, 2023
Published by the National Vulnerability Database Aug 28, 2023
Published to the GitHub Advisory Database Aug 29, 2023
Reviewed Aug 29, 2023
Last updated Jul 3, 2024

Severity

Moderate
6.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2023-39968

GHSA ID

GHSA-r726-vmfq-j9j3

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.