On Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users.
Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected.
jupyter_core>=5.8.1 (5.8.0 is patched but breaks jupyter-server) , or%PROGRAMDATA% directory so it is not writable by unauthorized users, or%PROGRAMDATA%\jupyter directory with appropriately restrictive permissions, or%PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators or the current user)Reported via Trend Micro Zero Day Initiative as ZDI-CAN-25932