CVE-2024-22421

EPSS 0.14%
Veröffentlicht 19.01.2024 21:15:09
Zuletzt bearbeitet 21.11.2024 08:56:15
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Potential authentication and CSRF tokens leak in JupyterLab

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 4 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jupyter ≫ Jupyterlab Version < 3.6.7

Jupyter ≫ Jupyterlab Version >= 4.0.0 < 4.0.11

Jupyter ≫ Notebook Version >= 7.0.0 < 7.0.7

Fedoraproject ≫ Fedora Version39

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.345

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
security-advisories@github.com	7.6	2.8	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/

Third Party Advisory

Mailing List

https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6

Patch

https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-22421

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-22421

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-22421

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-22421