Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1oNTZnLWdxOXYtdmM4cs4AA3kx

jupyter-server errors include tracebacks with path information

Impact

Unhandled errors in API requests include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment.

Patches

jupyter-server PATCHED_VERSION no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty.

Workarounds

None

Permalink: https://github.com/advisories/GHSA-h56g-gq9v-vc8r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNTZnLWdxOXYtdmM4cs4AA3kx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-h56g-gq9v-vc8r, CVE-2023-49080
References:

• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-h56g-gq9v-vc8r
• https://nvd.nist.gov/vuln/detail/CVE-2023-49080
• https://github.com/jupyter-server/jupyter_server/commit/0056c3aa52cbb28b263a7a609ae5f17618b36652
• https://lists.fedoraproject.org/archives/list/[email protected]/message/62LO7PPIAMLIDEKUOORXLHKLGA6QPL77/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/FG2JWZI5KPUYMDPS53AIFTZJWZD3IT6I/
• https://github.com/advisories/GHSA-h56g-gq9v-vc8r

Repository: https://github.com/jupyter-server/jupyter_server
Blast Radius: 16.6

Affected Packages