CVE-2023-39968
published 2023-08-28CVE-2023-39968: jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.59%
43.6th percentile
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jupyter-server | < jupyter-server 2.14.2-1 (forky) | jupyter-server 2.14.2-1 (forky) |
| jupyter-server | jupyter_server | < 2.7.2 | 2.7.2 |
| jupyter | jupyter_server | < 2.7.2 | 2.7.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Open Redirect Vulnerability in jupyter-server
ghsa·2023-08-29
CVE-2023-39968 [MEDIUM] CWE-601 Open Redirect Vulnerability in jupyter-server
Open Redirect Vulnerability in jupyter-server
### Impact
Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.
### Patches
Upgrade to Jupyter Server 2.7.2
### Workarounds
None.
### References
Vulnerability reported by user davwwwx via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/).
- https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-
OSV
Open Redirect Vulnerability in jupyter-server
osv·2023-08-29
CVE-2023-39968 [MEDIUM] Open Redirect Vulnerability in jupyter-server
Open Redirect Vulnerability in jupyter-server
### Impact
Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.
### Patches
Upgrade to Jupyter Server 2.7.2
### Workarounds
None.
### References
Vulnerability reported by user davwwwx via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/).
- https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-
OSV
CVE-2023-39968: jupyter-server is the backend for Jupyter web applications
osv·2023-08-28·CVSS 6.1
CVE-2023-39968 [MEDIUM] CVE-2023-39968: jupyter-server is the backend for Jupyter web applications
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Debian
CVE-2023-39968: jupyter-server - jupyter-server is the backend for Jupyter web applications. Open Redirect Vulner...
vendor_debian·2023·CVSS 4.3
CVE-2023-39968 [MEDIUM] CVE-2023-39968: jupyter-server - jupyter-server is the backend for Jupyter web applications. Open Redirect Vulner...
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.14.2-1)
sid: resolved (fixed in 2.14.2-1)
trixie: resolved (fixed in 2.14.2-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3https://lists.fedoraproject.org/archives/list/[email protected]/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/https://lists.fedoraproject.org/archives/list/[email protected]/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3https://lists.fedoraproject.org/archives/list/[email protected]/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/https://lists.fedoraproject.org/archives/list/[email protected]/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/
2023-08-28
Published