Headline
GHSA-m678-f26j-3hrp: Execution with Unnecessary Privileges in JupyterApp
Impact
What kind of vulnerability is it? Who is impacted?
We’d like to disclose an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in the current working directory. This vulnerability allows one user to run code as another.
Patches
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to jupyter_core>=4.11.2.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? No
References
Are there any links users can visit to find out more? Similar advisory in IPython
Impact
What kind of vulnerability is it? Who is impacted?
We’d like to disclose an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in the current working directory. This vulnerability allows one user to run code as another.
Patches
Has the problem been patched? What versions should users upgrade to?
Users should upgrade to jupyter_core>=4.11.2.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No
References
Are there any links users can visit to find out more?
Similar advisory in IPython
References
- GHSA-m678-f26j-3hrp
Related news
Ubuntu Security Notice 6153-1 - It was discovered that Jupyter Core executed untrusted files in the current working directory. An attacker could possibly use this issue to execute arbitrary code.
Debian Linux Security Advisory 5422-1 - It was discovered that jupyter-core, the core common functionality for Jupyter projects, could execute arbitrary code in the current working directory while loading configuration files.
Gentoo Linux Security Advisory 202301-4 - A vulnerability has been discovered in jupyter_core which could allow for the execution of code as another user. Versions less than 4.11.2 are affected.
Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.