CVE-2023-40170 - OpenCVE

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jupyter	Jupyter Server

Configuration 1 [-]

cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-28T20:01:57.156Z

Updated: 2024-08-02T18:24:55.535Z

Reserved: 2023-08-09T15:26:41.051Z

Link: CVE-2023-40170

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-08-28T21:15:07.873

Modified: 2023-09-15T22:15:14.333

Link: CVE-2023-40170

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40170", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-08-09T15:26:41.051Z", "datePublished": "2023-08-28T20:01:57.156Z", "dateUpdated": "2024-08-02T18:24:55.535Z"}, "containers": {"cna": {"title": "cross-site inclusion (XSSI) of files in jupyter-server", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974"}, {"name": "https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd", "tags": ["x_refsource_MISC"], "url": "https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/"}], "affected": [{"vendor": "jupyter-server", "product": "jupyter_server", "versions": [{"version": "< 2.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-08-28T20:01:57.156Z"}, "descriptions": [{"lang": "en", "value": "jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via \"Open image in new tab\". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks."}], "source": {"advisory": "GHSA-64x5-55rw-9974", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:55.535Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974"}, {"name": "https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "B83A20E2-B301-47B0-AE30-3363B1FE64F3", "versionEndExcluding": "2.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via \"Open image in new tab\". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks."}, {"lang": "es", "value": "jupyter-server es el backend de las aplicaciones web de Jupyter. Las comprobaciones de Improper Cross-Site Credential en las URL `/files/` podr\u00edan permitir la exposici\u00f3n de ciertos contenidos de archivos o el acceso a archivos al abrir archivos que no son de confianza a trav\u00e9s de \"Abrir imagen en una pesta\u00f1a nueva\". Este problema se solucion\u00f3 en el commit \"87a49272728\" que se incluy\u00f3 en la versi\u00f3n \"2.7.2\". Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden usar `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler` de menor rendimiento, que implementa las comprobaciones correctas."}], "id": "CVE-2023-40170", "lastModified": "2023-09-15T22:15:14.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-08-28T21:15:07.873", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}