CVE-2023-49080 – jupyter-server

Package

Manager: pip
Name: jupyter-server
Vulnerable Version: >=0 <2.11.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0029 pctl0.52014

Details

jupyter-server errors include tracebacks with path information ### Impact Unhandled errors in API requests include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment. ### Patches jupyter-server PATCHED_VERSION no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty. ### Workarounds None

Metadata

Created: 2023-12-05T18:15:02Z
Modified: 2024-11-22T17:59:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-h56g-gq9v-vc8r/GHSA-h56g-gq9v-vc8r.json
CWE IDs: ["CWE-209"]
Alternative ID: GHSA-h56g-gq9v-vc8r
Finding: F037
Auto approve: 1