GHSA-44cc-43rp-5947

Suggest an improvement
Source
https://github.com/advisories/GHSA-44cc-43rp-5947
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-44cc-43rp-5947/GHSA-44cc-43rp-5947.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-44cc-43rp-5947
Aliases
Published
2024-01-19T20:28:10Z
Modified
2024-02-20T05:34:26.989923Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L CVSS Calculator
Summary
JupyterLab vulnerable to potential authentication and CSRF tokens leak
Details

Impact

Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version.

Patches

JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.

Workarounds

No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

References

Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

References

Affected packages

PyPI / jupyterlab

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.0.11

Affected versions

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10

Database specific

{
    "last_known_affected_version_range": "<= 4.0.10"
}

PyPI / jupyterlab

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.7

Affected versions

0.*

0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.13
0.1.1
0.1.2
0.2.0
0.3.0
0.4.0
0.4.1
0.5.0
0.6.0
0.7.0
0.8.0
0.9.0
0.9.1
0.10.0
0.11.0
0.11.1
0.11.2
0.11.3
0.12.0
0.12.1
0.13.0
0.13.1
0.13.2
0.14.0
0.15.0
0.15.1
0.16.0
0.16.2
0.17.0
0.17.1
0.17.2
0.17.4
0.17.5
0.18.0.dev1
0.18.0
0.18.1
0.19.0
0.20.0rc1
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.21.0rc1
0.21.0rc2
0.21.0rc3
0.21.0rc4
0.21.0rc5
0.21.0
0.22.0rc0
0.22.0
0.22.1
0.23.0rc0
0.23.0rc1
0.23.0
0.23.1
0.23.2
0.24.0rc0
0.24.0rc1
0.24.0rc2
0.24.0
0.24.1
0.25.0rc0
0.25.0rc1
0.25.0
0.25.1
0.25.2rc0
0.25.2
0.26.0rc0
0.26.0rc1
0.26.0
0.26.1
0.26.2
0.26.3
0.26.4
0.26.5
0.27.0rc0
0.27.0rc1
0.27.0rc2
0.27.0rc3
0.27.0rc4
0.27.0rc5
0.27.0
0.27.1
0.27.2
0.28.0rc0
0.28.0rc1
0.28.0rc2
0.28.0rc3
0.28.0
0.28.1
0.28.2
0.28.3
0.28.4
0.28.5
0.28.6
0.28.7
0.28.8
0.28.10
0.28.11
0.28.12
0.28.13
0.28.14
0.28.15
0.29.0rc0
0.29.0
0.29.1
0.29.2
0.30.0rc0
0.30.0rc1
0.30.0
0.30.1
0.30.2
0.30.3
0.30.4
0.30.5
0.30.6
0.31.0rc0
0.31.0rc1
0.31.0rc2
0.31.0
0.31.1
0.31.2
0.31.3
0.31.4
0.31.5
0.31.6
0.31.7
0.31.8
0.31.9
0.31.10
0.31.11
0.31.12
0.32.0rc0
0.32.0rc1
0.32.0
0.32.1
0.33.0rc0
0.33.0rc1
0.33.0
0.33.1
0.33.2
0.33.3
0.33.4
0.33.5
0.33.6
0.33.7
0.33.8
0.33.9
0.33.10
0.33.11
0.33.12
0.34.0rc0
0.34.0rc1
0.34.0rc2
0.34.0
0.34.1
0.34.2
0.34.3
0.34.4
0.34.5
0.34.6
0.34.7
0.34.8
0.34.9
0.34.10
0.34.11
0.34.12
0.35.0rc0
0.35.0rc1
0.35.0rc2
0.35.0
0.35.1
0.35.2
0.35.3
0.35.4
0.35.5
0.35.6

1.*

1.0.0a0
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0a6
1.0.0a7
1.0.0a8
1.0.0a9
1.0.0a10
1.0.0rc0
1.0.0rc1
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.9
1.0.10
1.1.0a0
1.1.0a1
1.1.0a2
1.1.0rc0
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0a0
1.2.0a1
1.2.0a2
1.2.0a3
1.2.0rc0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.19
1.2.20
1.2.21

2.*

2.0.0a0
2.0.0a1
2.0.0a3
2.0.0a4
2.0.0b1
2.0.0b2
2.0.0b3
2.0.0rc0
2.0.0rc1
2.0.0rc2
2.0.0
2.0.1rc0
2.0.1
2.0.2
2.1.0a0
2.1.0b0
2.1.0rc0
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.2.0a0
2.2.0a1
2.2.0rc1
2.2.0
2.2.1
2.2.2
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0a0
2.3.0a1
2.3.0a2
2.3.0rc0
2.3.0
2.3.1
2.3.2

3.*

3.0.0a0
3.0.0a3
3.0.0a4
3.0.0a5
3.0.0a6
3.0.0a7
3.0.0a8
3.0.0a9
3.0.0a10
3.0.0a11
3.0.0a12
3.0.0a13
3.0.0a14
3.0.0b1
3.0.0b2
3.0.0b3
3.0.0b4
3.0.0b6
3.0.0b7
3.0.0b8
3.0.0rc0
3.0.0rc1
3.0.0rc2
3.0.0rc3
3.0.0rc4
3.0.0rc5
3.0.0rc6
3.0.0rc7
3.0.0rc8
3.0.0rc9
3.0.0rc10
3.0.0rc11
3.0.0rc12
3.0.0rc13
3.0.0rc14
3.0.0rc15
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.1.0a0
3.1.0a1
3.1.0a2
3.1.0a3
3.1.0a4
3.1.0a5
3.1.0a6
3.1.0a7
3.1.0a8
3.1.0a9
3.1.0a10
3.1.0a11
3.1.0a12
3.1.0a13
3.1.0b0
3.1.0b1
3.1.0rc1
3.1.0rc2
3.1.0
3.1.1
3.1.2
3.1.4
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.16
3.1.17
3.1.18
3.1.19
3.2.0a0
3.2.0a1
3.2.0b0
3.2.0rc0
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.2.9
3.3.0a1
3.3.0a2
3.3.0a3
3.3.0b0
3.3.0rc0
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0a0
3.4.0b0
3.4.0rc0
3.4.0
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
3.5.0a0
3.5.0b0
3.5.0rc0
3.5.0
3.5.1
3.5.2
3.5.3
3.6.0a0
3.6.0a1
3.6.0a2
3.6.0a3
3.6.0a4
3.6.0a5
3.6.0b0
3.6.0rc0
3.6.0rc1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6

Database specific

{
    "last_known_affected_version_range": "<= 3.6.6"
}

PyPI / notebook

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.7

Affected versions

7.*

7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6

Database specific

{
    "last_known_affected_version_range": "<= 7.0.6"
}