GHSA-m678-f26j-3hrp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m678-f26j-3hrp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-m678-f26j-3hrp/GHSA-m678-f26j-3hrp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m678-f26j-3hrp
- Aliases
- Related
- Published
- 2022-10-26T22:07:00Z
- Modified
- 2024-09-24T20:45:54.304870Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Execution with Unnecessary Privileges in JupyterApp
- Details
-
Impact
What kind of vulnerability is it? Who is impacted? We’d like to disclose an arbitrary code execution vulnerability in
jupyter_corethat stems fromjupyter_coreexecuting untrusted files in the current working directory. This vulnerability allows one user to run code as another.Patches
Has the problem been patched? What versions should users upgrade to? Users should upgrade to
jupyter_core>=4.11.2.Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? No
References
Are there any links users can visit to find out more? Similar advisory in IPython
- Database specific
{ "nvd_published_at": "2022-10-26T20:15:00Z", "cwe_ids": [ "CWE-250", "CWE-269", "CWE-427" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-10-26T22:07:00Z" }- References
-
- https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp
- https://nvd.nist.gov/vuln/detail/CVE-2022-39286
- https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283
- https://github.com/jupyter/jupyter_core
- https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-core/PYSEC-2022-42974.yaml
- https://lists.debian.org/debian-lts-announce/2022/11/msg00022.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KKMP5OXXIX2QAUNVNJZ5UEQFKDYYJVBA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN
- https://security.gentoo.org/glsa/202301-04
- https://www.debian.org/security/2023/dsa-5422
Affected packages
PyPI / jupyter-core
Package
- Name
- jupyter-core
- View open source insights on deps.dev
- Purl
- pkg:pypi/jupyter-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.11.2