Headline
CVE-2023-39968: Merge pull request from GHSA-r726-vmfq-j9j3 · jupyter-server/jupyter_server@2903625
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit 29036259 which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Expand Up
@@ -41,12 +41,25 @@ def _redirect_safe(self, url, default=None):
# \ is not valid in urls, but some browsers treat it as /
# instead of %5C, causing `\\` to behave as `//`
url = url.replace("\\", “%5C”)
# urllib and browsers interpret extra ‘/’ in the scheme separator (`scheme:///host/path`)
# differently.
# urllib gives scheme=scheme, netloc=’’, path=’/host/path’, while
# browsers get scheme=scheme, netloc=’host’, path=’/path’
# so make sure ‘:///*’ collapses to ‘://’ by splitting and stripping any additional leading slash
# don’t allow any kind of `:/` shenanigans by splitting on ‘:’ only
# and replacing `:/*` with exactly `://`
if “:” in url:
scheme, _, rest = url.partition(“:”)
url = f"{scheme}://{rest.lstrip(‘/’)}"
parsed = urlparse(url)
if parsed.netloc or not (parsed.path + “/”).startswith(self.base_url):
# full url may be `//host/path` (empty scheme == same scheme as request)
# or `https://host/path`
# or even `https:///host/path` (invalid, but accepted and ambiguously interpreted)
if (parsed.scheme or parsed.netloc) or not (parsed.path + “/”).startswith(self.base_url):
# require that next_url be absolute path within our path
allow = False
# OR pass our cross-origin check
if parsed.netloc:
if parsed.scheme or parsed.netloc:
# if full URL, run our cross-origin check:
origin = f"{parsed.scheme}://{parsed.netloc}"
origin = origin.lower()
Expand Down
Related news
### Impact Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. ### Patches Upgrade to Jupyter Server 2.7.2 ### Workarounds None. ### References Vulnerability reported by user davwwwx via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/). - https://blog.xss.am/2023/08/CVE-2023-39968-jupyter-token-leak/