CVE-2023-49080: Jupyter Server errors include tracebacks with path information
First published: Mon Dec 04 2023(Updated: )
### Impact Unhandled errors in API requests include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment. ### Patches jupyter-server PATCHED_VERSION no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty. ### Workarounds None
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/jupyter-server | <2.11.2 | 2.11.2 |
| Jupyter Jupyter Server | <2.11.2 |
Remedy
https://github.com/jupyter-server/jupyter_server/commit/0056c3aa52cbb28b263a7a609ae5f17618b36652
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jupyter-server/jupyter_server/commit/0056c3aa52cbb28b263a7a609ae5f17618b36652
- https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-h56g-gq9v-vc8r
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62LO7PPIAMLIDEKUOORXLHKLGA6QPL77/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FG2JWZI5KPUYMDPS53AIFTZJWZD3IT6I/
- https://nvd.nist.gov/vuln/detail/CVE-2023-49080
- https://github.com/advisories/GHSA-h56g-gq9v-vc8r (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2023-272.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62LO7PPIAMLIDEKUOORXLHKLGA6QPL77
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FG2JWZI5KPUYMDPS53AIFTZJWZD3IT6I
Frequently Asked Questions
What is the vulnerability ID for this Jupyter Server vulnerability?
The vulnerability ID for this Jupyter Server vulnerability is CVE-2023-49080.
What is the severity level of CVE-2023-49080?
CVE-2023-49080 has a severity level of low.
What software is affected by CVE-2023-49080?
The Jupyter Server package version up to exclusive 2.11.2 is affected by CVE-2023-49080.
What is the remediation for CVE-2023-49080?
To fix CVE-2023-49080, you should upgrade the Jupyter Server package to version 2.11.2 or higher.
What is the Common Weakness Enumeration (CWE) number associated with CVE-2023-49080?
The Common Weakness Enumeration (CWE) number associated with CVE-2023-49080 is CWE-209.
- collector/nvd-api
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/description
- agent/title
- agent/weakness
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h56g-gq9v-vc8r
- alias/CVE-2023-49080
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/trending
- agent/tags
- agent/source
- vendor/jupyter
- canonical/jupyter jupyter server
- package-manager/pip