OpenCVE

jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Jupyter	Jupyter Server

Configuration 1 [-]

cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/

History

Mon, 30 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-28T20:16:20.851Z

Updated: 2024-09-30T17:47:55.588Z

Reserved: 2023-08-07T16:27:27.077Z

Link: CVE-2023-39968

Vulnrichment

Updated: 2024-08-02T18:18:10.086Z

NVD

Status : Modified

Published: 2023-08-28T21:15:07.777

Modified: 2023-09-15T22:15:14.217

Link: CVE-2023-39968

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39968", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-07T16:27:27.077Z", "datePublished": "2023-08-28T20:16:20.851Z", "dateUpdated": "2024-09-30T17:47:55.588Z"}, "containers": {"cna": {"title": "Open Redirect Vulnerability in jupyter-server", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3"}, {"name": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925", "tags": ["x_refsource_MISC"], "url": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/"}], "affected": [{"vendor": "jupyter-server", "product": "jupyter_server", "versions": [{"version": "< 2.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-28T20:16:20.851Z"}, "descriptions": [{"lang": "en", "value": "jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-r726-vmfq-j9j3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:18:10.086Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3"}, {"name": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-30T17:43:17.195003Z", "id": "CVE-2023-39968", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-30T17:47:55.588Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-39968", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-07T16:27:27.077Z", "datePublished": "2023-08-28T20:16:20.851Z", "dateUpdated": "2024-09-30T17:47:55.588Z"}, "containers": {"cna": {"title": "Open Redirect Vulnerability in jupyter-server", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3"}, {"name": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925", "tags": ["x_refsource_MISC"], "url": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/"}], "affected": [{"vendor": "jupyter-server", "product": "jupyter_server", "versions": [{"version": "< 2.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-28T20:16:20.851Z"}, "descriptions": [{"lang": "en", "value": "jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-r726-vmfq-j9j3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:18:10.086Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3"}, {"name": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39968", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-30T17:43:17.195003Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-30T17:47:51.387Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B83A20E2-B301-47B0-AE30-3363B1FE64F3", "versionEndExcluding": "2.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit `29036259` which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "jupyter-server es el backend de las aplicaciones web de Jupyter. Vulnerabilidad de Redireccionamiento Abierto. Los enlaces de inicio de sesi\u00f3n creados maliciosamente a servidores Jupyter conocidos pueden provocar que un inicio de sesi\u00f3n exitoso o una sesi\u00f3n ya iniciada sea redirigida a sitios arbitrarios, que deben restringirse a las URL servidas por Jupyter Server. Este problema se solucion\u00f3 en el commit \"29036259\", que se incluye en la versi\u00f3n 2.7.2. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-39968", "lastModified": "2023-09-15T22:15:14.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-08-28T21:15:07.777", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}