CVE-2024-22421

CVSS V2 None CVSS V3 None

Description

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix.

Overview

CVE ID
CVE-2024-22421

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-01-19T20:45:49.027Z

Last Modified Date
2024-01-19T20:45:49.027Z

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html
CWE-23	http://cwe.mitre.org/data/definitions/23.html

References

Reference URL	Reference Tags
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947	x_refsource_CONFIRM
https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-22421
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22421

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 09:21:13				Added to TrackCVE