jupyter-server 1.0.0rc5 vulnerabilities

Known vulnerabilities in the jupyter-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Information Exposure Affected versions of this package are vulnerable to Information Exposure through the `log_request` function. This function recorded sensitive information from the query parameters without improper sanitization. How to fix Information Exposure? Upgrade `jupyter-server` to version 1.23.6, 2.3.0 or higher.	[,1.23.6)[2.0.0,2.3.0)
H Information Exposure Affected versions of this package are vulnerable to Information Exposure through the NTLMv2 password hash exposure process. An attacker can obtain and potentially crack this hash to gain unauthorized access to the Windows machine hosting the server or to other network-accessible machines or third-party services using the same credentials. How to fix Information Exposure? Upgrade `jupyter-server` to version 2.14.1 or higher.	[,2.14.1)
M Generation of Error Message Containing Sensitive Information Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information. When handling API requests from an authenticated user, unhandled errors include traceback information, which can reveal path information. The revealed paths are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment. How to fix Generation of Error Message Containing Sensitive Information? Upgrade `jupyter-server` to version 2.11.2 or higher.	[,2.11.2)
M Open Redirect Affected versions of this package are vulnerable to Open Redirect via maliciously crafted login links, which allows an attacker to redirect a successful login or an already logged-in session to arbitrary sites. How to fix Open Redirect? Upgrade `jupyter-server` to version 2.7.2 or higher.	[,2.7.2)
M Access Control Bypass Affected versions of this package are vulnerable to Access Control Bypass via the `/files/` URLs due to improper cross-site credentials validation. An attacker can expose certain file contents or access files when opening untrusted files via "Open image in new tab". Note: This is due to an incomplete fix of CVE-2019-9644 How to fix Access Control Bypass? Upgrade `jupyter-server` to version 2.7.2 or higher.	[,2.7.2)
L Information Exposure Affected versions of this package are vulnerable to Information Exposure when the notebook server is started with a value of `root_dir` that contains the starting user's home directory. Exploiting this vulnerability is possible via REST API that can be used to leak the access token assigned at the start time by guessing/brute-forcing the PID of the server. How to fix Information Exposure? Upgrade `jupyter-server` to version 1.17.1 or higher.	[,1.17.1)
H Information Exposure Affected versions of this package are vulnerable to Information Exposure by logging the authentication cookie and other header values every time a 5xx error is triggered, by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. How to fix Information Exposure? Upgrade `jupyter-server` to version 1.15.4 or higher.	[,1.15.4)
M Open Redirect Affected versions of this package are vulnerable to Open Redirect. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers running without a `base_url` prefix are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may appear safe, but ultimately redirect to a spoofed server on the public internet. This same vulnerability was patched in upstream notebook v5.7.8. How to fix Open Redirect? Upgrade `jupyter-server` to version 1.1.1 or higher.	[,1.1.1)
M Open Redirect Affected versions of this package are vulnerable to Open Redirect. A maliciously crafted link to a jupyter server could redirect the browser to a different website. How to fix Open Redirect? Upgrade `jupyter-server` to version 1.0.6 or higher.	[,1.0.6)

Vulnerability

Vulnerable Version

Information Exposure

Affected versions of this package are vulnerable to Information Exposure through the log_request function. This function recorded sensitive information from the query parameters without improper sanitization.

How to fix Information Exposure?

Upgrade jupyter-server to version 1.23.6, 2.3.0 or higher.

[,1.23.6)[2.0.0,2.3.0)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure through the NTLMv2 password hash exposure process. An attacker can obtain and potentially crack this hash to gain unauthorized access to the Windows machine hosting the server or to other network-accessible machines or third-party services using the same credentials.

How to fix Information Exposure?

Upgrade jupyter-server to version 2.14.1 or higher.

[,2.14.1)

Generation of Error Message Containing Sensitive Information

Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information. When handling API requests from an authenticated user, unhandled errors include traceback information, which can reveal path information. The revealed paths are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment.

How to fix Generation of Error Message Containing Sensitive Information?

Upgrade jupyter-server to version 2.11.2 or higher.

[,2.11.2)

Open Redirect

Affected versions of this package are vulnerable to Open Redirect via maliciously crafted login links, which allows an attacker to redirect a successful login or an already logged-in session to arbitrary sites.

How to fix Open Redirect?

Upgrade jupyter-server to version 2.7.2 or higher.

[,2.7.2)

Access Control Bypass

Affected versions of this package are vulnerable to Access Control Bypass via the /files/ URLs due to improper cross-site credentials validation. An attacker can expose certain file contents or access files when opening untrusted files via "Open image in new tab".

Note: This is due to an incomplete fix of CVE-2019-9644

How to fix Access Control Bypass?

Upgrade jupyter-server to version 2.7.2 or higher.

[,2.7.2)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure when the notebook server is started with a value of root_dir that contains the starting user's home directory. Exploiting this vulnerability is possible via REST API that can be used to leak the access token assigned at the start time by guessing/brute-forcing the PID of the server.

How to fix Information Exposure?

Upgrade jupyter-server to version 1.17.1 or higher.

[,1.17.1)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure by logging the authentication cookie and other header values every time a 5xx error is triggered, by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server.

How to fix Information Exposure?

Upgrade jupyter-server to version 1.15.4 or higher.

[,1.15.4)

Open Redirect

Affected versions of this package are vulnerable to Open Redirect. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers running without a base_url prefix are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may appear safe, but ultimately redirect to a spoofed server on the public internet. This same vulnerability was patched in upstream notebook v5.7.8.

How to fix Open Redirect?

Upgrade jupyter-server to version 1.1.1 or higher.

[,1.1.1)

Open Redirect

Affected versions of this package are vulnerable to Open Redirect. A maliciously crafted link to a jupyter server could redirect the browser to a different website.

How to fix Open Redirect?

Upgrade jupyter-server to version 1.0.6 or higher.

[,1.0.6)

jupyter-server@1.0.0rc5 vulnerabilities

The backend—i.e. core services, APIs, and REST endpoints—to Jupyter web applications.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?