Upstream information
Description
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
National Vulnerability Database | SUSE | |
---|---|---|
Base Score | 4.6 | 4.6 |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
Attack Vector | Network | Network |
Attack Complexity | Low | Low |
Privileges Required | Low | Low |
User Interaction | Required | Required |
Scope | Unchanged | Unchanged |
Confidentiality Impact | Low | Low |
Integrity Impact | Low | Low |
Availability Impact | None | None |
CVSSv3 Version | 3.1 | 3.1 |
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2024-13260 |
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.
Product(s) | Source package | State |
---|---|---|
Products at an unknown state of their lifecycle. | ||
Standard | python-jupyter-server | Affected |
SUSE Timeline for this CVE
CVE page created: Tue Aug 29 00:02:20 2023CVE page last modified: Tue Jul 2 20:12:07 2024