CVE-2023-40170
published 2023-08-28CVE-2023-40170: jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file…
PriorityP428medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.54%
41.4th percentile
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jupyter-server | < jupyter-server 2.14.2-1 (forky) | jupyter-server 2.14.2-1 (forky) |
| jupyter-server | jupyter_server | < 2.7.2 | 2.7.2 |
| jupyter | jupyter_server | < 2.7.2 | 2.7.2 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ghsa5.4MEDIUM
osv6.1MEDIUM
vendor_debian4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2023-40170: jupyter-server - jupyter-server is the backend for Jupyter web applications. Improper cross-site ...
vendor_debian·2023·CVSS 4.6
CVE-2023-40170 [MEDIUM] CVE-2023-40170: jupyter-server - jupyter-server is the backend for Jupyter web applications. Improper cross-site ...
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.14.2-1)
sid: resolved (fixed in 2.14.2-1)
trixie: resolved (fixed in 2.14.2-1)
GHSA
cross-site inclusion (XSSI) of files in jupyter-server
ghsa·2023-08-29·CVSS 5.4
CVE-2023-40170 [MEDIUM] CWE-284 cross-site inclusion (XSSI) of files in jupyter-server
cross-site inclusion (XSSI) of files in jupyter-server
### Impact
Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab".
### Patches
Jupyter Server 2.7.2
### Workarounds
Use lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
### References
Upstream patch for CVE-2019-9644 was not applied completely, leaving part of the vulnerability open.
Vulnerability reported by Tim Coen via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programm
OSV
cross-site inclusion (XSSI) of files in jupyter-server
osv·2023-08-29·CVSS 5.4
CVE-2023-40170 [MEDIUM] cross-site inclusion (XSSI) of files in jupyter-server
cross-site inclusion (XSSI) of files in jupyter-server
### Impact
Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab".
### Patches
Jupyter Server 2.7.2
### Workarounds
Use lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
### References
Upstream patch for CVE-2019-9644 was not applied completely, leaving part of the vulnerability open.
Vulnerability reported by Tim Coen via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programm
OSV
CVE-2023-40170: jupyter-server is the backend for Jupyter web applications
osv·2023-08-28·CVSS 6.1
CVE-2023-40170 [MEDIUM] CVE-2023-40170: jupyter-server is the backend for Jupyter web applications
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fdhttps://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974https://lists.fedoraproject.org/archives/list/[email protected]/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/https://lists.fedoraproject.org/archives/list/[email protected]/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fdhttps://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974https://lists.fedoraproject.org/archives/list/[email protected]/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/https://lists.fedoraproject.org/archives/list/[email protected]/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/
2023-08-28
Published