CVE-2022-39286Execution with Unnecessary Privileges in Core

CWE-250Execution with Unnecessary PrivilegesCWE-269Improper Privilege ManagementCWE-427Uncontrolled Search Path Element6 documents5 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 44.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Jupyter CoreDebian Jupyter-coreDebian Linux+1 more
Timeline
PublishedOct 26
Latest updateJun 12

Description

Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

debiandebian/jupyter-core< jupyter-core 4.11.2-1 (bookworm)
NVDjupyter/jupyter_core< 4.11.2

Also affects: Debian Linux 10.0, 11.0, Fedora 36, 37

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Execution with Unnecessary Privileges in JupyterApp2022-10-26
GHSA
Execution with Unnecessary Privileges in JupyterApp2022-10-26
OSV
CVE-2022-39286: Jupyter Core is a package for the core common functionality of Jupyter projects2022-10-26

📋Vendor Advisories

2
Ubuntu
Jupyter Core vulnerability2023-06-12
Debian
CVE-2022-39286: jupyter-core - Jupyter Core is a package for the core common functionality of Jupyter projects....2022
CVE-2022-39286 — Execution with Unnecessary Privileges | cvebase