Headline
GHSA-r726-vmfq-j9j3: Open Redirect Vulnerability in jupyter-server
Impact
Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.
Patches
Upgrade to Jupyter Server 2.7.2
Workarounds
None.
References
Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
- https://blog.xss.am/2023/08/CVE-2023-39968-jupyter-token-leak/
Skip to content
Sign up
CVE-2023-39968
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
Explore
* All features
* Documentation
* GitHub Skills
* Blog
For
- Enterprise
- Teams
- Startups
- Education
By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
Resources
- Customer Stories
- White papers, Ebooks, Webinars
- Partners
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Repositories
* Topics
* Trending
* Collections
- Pricing
Search code, repositories, users, issues, pull requests…
Provide feedback
We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Saved searches****Use saved searches to filter your results more quickly
Sign in
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-39968
Open Redirect Vulnerability in jupyter-server
Moderate severity GitHub Reviewed Published Aug 28, 2023 in jupyter-server/jupyter_server • Updated Aug 29, 2023
Vulnerability details Dependabot alerts 0
Package
pip jupyter-server (pip)
Affected versions
< 2.7.2
Patched versions
2.7.2
Description
Impact
Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.
Patches
Upgrade to Jupyter Server 2.7.2
Workarounds
None.
References
Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
- https://blog.xss.am/2023/08/CVE-2023-39968-jupyter-token-leak/
References
- GHSA-r726-vmfq-j9j3
- https://nvd.nist.gov/vuln/detail/CVE-2023-39968
- jupyter-server/jupyter_server@2903625
Zsailer published to jupyter-server/jupyter_server
Aug 28, 2023
Published to the GitHub Advisory Database
Aug 29, 2023
Reviewed
Aug 29, 2023
Last updated
Aug 29, 2023
Severity
Moderate
4.3
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Weaknesses
CWE-601
CVE ID
CVE-2023-39968
GHSA ID
GHSA-r726-vmfq-j9j3
Source code
jupyter-server/jupyter_server
Credits
- davwwwx Reporter
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.