Headline
GHSA-44cc-43rp-5947: JupyterLab vulnerable to potential authentication and CSRF tokens leak
Impact
Users of JupyterLab who click on a malicious link may get their Authorization
and XSRFToken
tokens exposed to a third party when running an older jupyter-server
version.
Patches
JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.
Workarounds
No workaround has been identified, however users should ensure to upgrade jupyter-server
to version 2.7.2 or newer which includes a redirect vulnerability fix.
References
Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
Package
pip jupyterlab (pip)
Affected versions
>= 4.0.0, <= 4.0.10
<= 3.6.6
Patched versions
4.0.11
3.6.7
pip notebook (pip)
>= 7.0.0, <= 7.0.6
7.0.7
Description
Impact
Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version.
Patches
JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.
Workarounds
No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.
References
Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
References
- GHSA-44cc-43rp-5947
- jupyterlab/jupyterlab@1ef7a4f
- jupyterlab/jupyterlab@fccd83d
krassowski published to jupyterlab/jupyterlab
Jan 19, 2024
Published to the GitHub Advisory Database
Jan 19, 2024
Reviewed
Jan 19, 2024
Last updated
Jan 19, 2024