CVE-2023-40170: Missing Authentication for Critical Function

August 28, 2023 (updated September 15, 2023)

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via “Open image in new tab”. This issue has been addressed in commit 87a49272728 which has been included in release 2.7.2. Users are advised to upgrade. Users unable to upgrade may use the lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler, which implements the correct checks.

References

github.com/advisories/GHSA-64x5-55rw-9974
github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd
github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974
nvd.nist.gov/vuln/detail/CVE-2023-40170

Code Behaviors & Features

Detect and mitigate CVE-2023-40170 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →