Fluid Attacks Database

Description

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	jupyterlab	>=0 <4.0.11+ds1-1	4.0.11+ds1-1
debian 14	jupyterlab	>=0 <4.0.11+ds1-1	4.0.11+ds1-1
pypi	notebook	>=7.0.0 <7.0.7	7.0.7
pypi	jupyterlab	>=4.0.0 <4.0.11 \|\| >=0 <3.6.7	4.0.11, 3.6.7

Aliases

1. CVE-2024-224212. NVD-2024-224213. OSV-DEBIAN-2024-224214. OSV-2024-224215. GHSA-44cc-43rp-59476. GCVE-2024-224217. SECURITY-TRACKER-CVE-2024-22421

References

1. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-59472. https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c63. https://github.com/jupyterlab/jupyterlab/commit/1ef7a4fa0202ebdf663e1cc0b45c8813a34a0b964. https://github.com/jupyterlab/jupyterlab/commit/fccd83dc4441da0384ee3fd1322c3b2d9ad4caaa5. https://lists.fedoraproject.org/archives/list/[email protected]/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H