What is CVE-2022-39286?

CVE-2022-39286 is an arbitrary code execution vulnerability in Jupyter Core that allows one user to run code as another.

Who is impacted by CVE-2022-39286?

Users of Jupyter Core versions prior to 4.11.2 are impacted by CVE-2022-39286.

What is the severity of CVE-2022-39286?

CVE-2022-39286 has a severity rating of 8.8 (High).

How can I fix CVE-2022-39286?

To fix CVE-2022-39286, update Jupyter Core to version 4.11.2 or higher.

Where can I find more information about CVE-2022-39286?

You can find more information about CVE-2022-39286 on the GitHub Security Advisory page and the NVD website.

Vulnerability/
CVE-2022-39286

high

8.8

CWE

250 269 427

26/10/2022

24/9/2024

CVE-2022-39286: Execution with Unnecessary Privileges in JupyterApp

First published: Wed Oct 26 2022(Updated: )

### Impact _What kind of vulnerability is it? Who is impacted?_ We’d like to disclose an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in the current working directory. This vulnerability allows one user to run code as another. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Users should upgrade to `jupyter_core>=4.11.2`. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ No ### References _Are there any links users can visit to find out more?_ Similar advisory in [IPython](https://github.com/advisories/GHSA-pq7m-3gw7-gq5x)

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
debian/jupyter-core	<=4.4.0-2	4.4.0-2+deb10u1 4.7.1-1+deb11u1 4.12.0-1 5.3.2-1
debian/jupyter-core	<=4.7.1-1<=4.11.1-1	4.11.2-1 4.7.1-1+deb11u1
pip/jupyter-core	<4.11.2	4.11.2
Jupyter Jupyter Core	<4.11.2
Debian GNU/Linux	=10.0
Debian GNU/Linux	=11.0
Fedoraproject Fedora	=36
Fedoraproject Fedora	=37

Remedy

https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-39286?
CVE-2022-39286 is an arbitrary code execution vulnerability in Jupyter Core that allows one user to run code as another.
Who is impacted by CVE-2022-39286?
Users of Jupyter Core versions prior to 4.11.2 are impacted by CVE-2022-39286.
What is the severity of CVE-2022-39286?
CVE-2022-39286 has a severity rating of 8.8 (High).
How can I fix CVE-2022-39286?
To fix CVE-2022-39286, update Jupyter Core to version 4.11.2 or higher.
Where can I find more information about CVE-2022-39286?
You can find more information about CVE-2022-39286 on the GitHub Security Advisory page and the NVD website.

collector/security-tracker-debian
collector/debian-bugs
alias/CVE-2022-39286
agent/type
collector/mitre-cve
source/MITRE
agent/severity
agent/remedy
agent/title
agent/weakness
agent/first-publish-date
agent/event
agent/description
collector/github-advisory-latest
source/GitHub
alias/GHSA-m678-f26j-3hrp
agent/software-canonical-lookup
agent/last-modified-date
agent/references
collector/github-advisory
agent/trending
agent/source
agent/author
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
agent/softwarecombine
agent/tags
collector/nvd-index
package-manager/debian
package-manager/pip
vendor/jupyter
canonical/jupyter jupyter core
vendor/debian
canonical/debian gnu/linux
version/debian gnu/linux/10.0
version/debian gnu/linux/11.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/36
version/fedoraproject fedora/37