CVE-2019-10255
First published: Thu Mar 28 2019(Updated: )
An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/jupyterhub | <0.9.6 | 0.9.6 |
| pip/notebook | <5.7.8 | 5.7.8 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 | |
| Jupyter JupyterHub | <0.9.5 | |
| Jupyter Notebook | <5.7.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-10255
- https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb
- https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913b
- https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029a8ed
- https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4
- https://github.com/advisories/GHSA-rv62-4pmj-xw6h (Advisory)
- https://github.com/jupyter/notebook/compare/05aa4b2...16cf97c
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
Frequently Asked Questions
What is CVE-2019-10255?
CVE-2019-10255 is an Open Redirect vulnerability in Jupyter Notebook and JupyterHub.
Which browsers are affected by CVE-2019-10255?
All browsers in Jupyter Notebook before version 5.7.8 and some browsers (Chrome, Firefox) in JupyterHub before version 0.9.6 are affected.
How can CVE-2019-10255 be exploited?
Crafted links can be used to redirect users to a malicious site after successful login in Jupyter Notebook and JupyterHub.
Are servers running on a base_url prefix affected by CVE-2019-10255?
No, servers running on a base_url prefix are not affected by CVE-2019-10255.
What is the severity of CVE-2019-10255?
CVE-2019-10255 has a severity score of 6.1 (Medium).
- collector/github-advisory-latest
- alias/GHSA-rv62-4pmj-xw6h
- alias/CVE-2019-10255
- collector/github-advisory
- agent/author
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/first-publish-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- agent/trending
- package-manager/pip
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4
- vendor/jupyter
- canonical/jupyter jupyterhub
- canonical/jupyter notebook