CVE-2019-10255
MEDIUM severity · CVSS 6.1 · CWE-601
6.1CVSS MEDIUM
Summary
An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactLow
Integrity impactLow
Availability impactNone
Exploit probability (EPSS)2%
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb ↗
Additional information
- NVD record
- https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cbPatch
- https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913bPatch
- https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029a8edPatch
- https://github.com/jupyter/notebook/compare/05aa4b2...16cf97cPatch
- https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/