Skip to content

Open Redirect vulnerability in jupyterhub and notebook

Moderate severity GitHub Reviewed Published Apr 2, 2019 to the GitHub Advisory Database • Updated Sep 5, 2023

Package

pip jupyterhub (pip)

Affected versions

< 0.9.6

Patched versions

0.9.6
pip notebook (pip)
< 5.7.8
5.7.8

Description

An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.8 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.6 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.

References

Published to the GitHub Advisory Database Apr 2, 2019
Reviewed Jun 16, 2020
Last updated Sep 5, 2023

Severity

Moderate
6.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2019-10255

GHSA ID

GHSA-rv62-4pmj-xw6h

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.