CVE-2023-40170

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2023-40170

Severity

4.6

Medium

CVSS V3

Summary

cross-site inclusion (XSSI) of files in jupyter-server

Description

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit 87a49272728 which has been included in release 2.7.2. Users are advised to upgrade. Users unable to upgrade may use the lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler, which implements the correct checks.

References

https://images.chainguard.dev/security/CGA-wjw8-jvx7-2x3f
https://github.com/advisories/GHSA-64x5-55rw-9974
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974
https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2023-40170

Severity

Summary

Description

References

Affected packages

Product

Solutions

Customers

Resources

Company