Home > Vulnerability Database > CVE-2023-40170

Mend.io Vulnerability Database

CVE-2023-40170

Good to know:

Date: August 28, 2023

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit `87a49272728` which has been included in release `2.7.2`. Users are advised to upgrade. Users unable to upgrade may use the lower performance `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks.

Language: Python

Severity Score

4.6

Related Resources (10)

Url: https://github.com/jupyter-server/jupyter_server

Url: https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40170

Url: https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2023-157.yaml

Url: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/

Url: https://www.mend.io/vulnerability-database/CVE-2023-40170

Severity Score

4.6

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Improper Access Control

CWE-284

Missing Authentication for Critical Function

CWE-306

Top Fix

Upgrade Version

Upgrade to version jupyter-server - 2.7.2

Learn More

CVSS v3.1

Base Score:	4.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40170

Good to know:

Date: August 28, 2023

Language: Python

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?