Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNTZnLWdxOXYtdmM4cs4AA3kx
jupyter-server errors include tracebacks with path information
Impact
Unhandled errors in API requests include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment.
Patches
jupyter-server PATCHED_VERSION no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty.
Workarounds
None
Permalink: https://github.com/advisories/GHSA-h56g-gq9v-vc8rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNTZnLWdxOXYtdmM4cs4AA3kx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 10 days ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-h56g-gq9v-vc8r, CVE-2023-49080
References:
- https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-h56g-gq9v-vc8r
- https://nvd.nist.gov/vuln/detail/CVE-2023-49080
- https://github.com/jupyter-server/jupyter_server/commit/0056c3aa52cbb28b263a7a609ae5f17618b36652
- https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2023-272.yaml
- https://lists.fedoraproject.org/archives/list/[email protected]/message/62LO7PPIAMLIDEKUOORXLHKLGA6QPL77
- https://lists.fedoraproject.org/archives/list/[email protected]/message/FG2JWZI5KPUYMDPS53AIFTZJWZD3IT6I
- https://github.com/advisories/GHSA-h56g-gq9v-vc8r
Blast Radius: 16.6
Affected Packages
pypi:jupyter-server
Dependent packages: 276Dependent repositories: 7,327
Downloads: 31,156,635 last month
Affected Version Ranges: < 2.11.2
Fixed in: 2.11.2
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.1.0, 0.1.1, 0.2.0, 0.2.1, 0.3.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.8.0, 1.9.0, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.15.0, 1.15.1, 1.15.2, 1.15.3, 1.15.4, 1.15.5, 1.15.6, 1.16.0, 1.17.0, 1.17.1, 1.18.0, 1.18.1, 1.19.0, 1.19.1, 1.21.0, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.23.4, 1.23.5, 1.23.6, 1.24.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1.0, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0, 2.11.1
All unaffected versions: 2.11.2, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.13.0, 2.14.0, 2.14.1, 2.14.2