Open Redirect Affecting jupyter-server package, versions [,1.1.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-JUPYTERSERVER-1053428
- published 22 Dec 2020
- disclosed 21 Dec 2020
- credit Yaniv Nizry from CxSCA group
Introduced: 21 Dec 2020
CVE-2020-26275 Open this link in a new tabHow to fix?
Upgrade jupyter-server
to version 1.1.1 or higher.
Overview
Affected versions of this package are vulnerable to Open Redirect. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers running without a base_url
prefix are technically affected, however, these maliciously crafted links can only be reasonably made for known jupyter server hosts. A link to your jupyter server may appear safe, but ultimately redirect to a spoofed server on the public internet. This same vulnerability was patched in upstream notebook v5.7.8.