CVE-2024-22421: Potential authentication and CSRF tokens leak in JupyterLab

First published: Fri Jan 19 2024(Updated: )

### Impact Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. ### Patches JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched. ### Workarounds No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix. ### References Vulnerability reported by user @davwwwx via the [bug bounty program](https://app.intigriti.com/programs/jupyter/jupyter/detail) [sponsored by the European Commission](https://commission.europa.eu/news/european-commissions-open-source-programme-office-starts-bug-bounties-2022-01-19_en) and hosted on the [Intigriti platform](https://www.intigriti.com/).

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/first-publish-date
• agent/weakness
• agent/title
• agent/type
• agent/description
• agent/event
• agent/author
• agent/severity
• agent/remedy
• agent/softwarecombine
• collector/github-advisory
• source/GitHub
• alias/GHSA-44cc-43rp-5947
• alias/CVE-2024-22421
• agent/software-canonical-lookup
• collector/mitre-cve
• source/MITRE
• agent/references
• agent/tags
• collector/nvd-api
• source/NVD
• agent/epss
• collector/epss-latest
• source/FIRST
• collector/github-advisory-latest
• agent/last-modified-date
• collector/nvd-cve
• package-manager/pip
• vendor/jupyter
• canonical/jupyter jupyterlab
• version/jupyter jupyterlab/4.0.0
• canonical/jupyter notebook
• version/jupyter notebook/7.0.0
• vendor/fedoraproject
• canonical/fedoraproject fedora
• version/fedoraproject fedora/39