logo

Database

Technical information leak In jupyter-server

Description

jupyter-server errors include tracebacks with path information

Impact

Unhandled errors in API requests include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment.

Patches

jupyter-server PATCHED_VERSION no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty.

Workarounds

None

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-490802. NVD-2023-490803. OSV-2023-490804. OSV-DEBIAN-2023-490805. GHSA-h56g-gq9v-vc8r6. GCVE-2023-490807. SECURITY-TRACKER-CVE-2023-49080

References

1. https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-h56g-gq9v-vc8r2. https://github.com/jupyter-server/jupyter_server/commit/0056c3aa52cbb28b263a7a609ae5f17618b366523. https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2023-272.yaml4. https://lists.fedoraproject.org/archives/list/[email protected]/message/62LO7PPIAMLIDEKUOORXLHKLGA6QPL775. https://lists.fedoraproject.org/archives/list/[email protected]/message/FG2JWZI5KPUYMDPS53AIFTZJWZD3IT6I

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.