GHSA-fvcq-4x64-hqxr: XSS
First published: Tue Jun 11 2024(Updated: )
### Impact There is a reflected cross-site scripting (XSS) issue in `jupyter-server-proxy`[1]. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/<host>`. When this endpoint is called with an invalid `host` value, `jupyter-server-proxy` replies with a response that includes the value of `host`, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid `host` value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of `GET /proxy/<host>`, which runs the custom JavaScript contained in `host` set by the actor. As any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. This issue exists in the latest release of `jupyter-server-proxy`, currently `v4.1.2`. **Impacted versions:** `>=3.0.0,<=4.1.2` ### Patches The patches are included in `==4.2.0` and `==3.2.4`. ### Workarounds Server operators who are unable to upgrade can disable the `jupyter-server-proxy` extension with: ``` jupyter server extension disable jupyter-server-proxy ``` ### References [1] : https://github.com/jupyterhub/jupyter-server-proxy/ [2] : https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/jupyter-server-proxy | >=4.0.0<4.2.0 | 4.2.0 |
| pip/jupyter-server-proxy | >=3.0.0<3.2.4 | 3.2.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr
- https://github.com/jupyterhub/jupyter-server-proxy/commit/7abc9dc5bbb0b4b440548a5375261b8b8192fc22
- https://github.com/jupyterhub/jupyter-server-proxy/commit/ff78128087e73fb9d0909e1366f8bf051e8ea878
- https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328
- https://nvd.nist.gov/vuln/detail/CVE-2024-35225
- https://github.com/advisories/GHSA-fvcq-4x64-hqxr (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server-proxy/PYSEC-2024-236.yaml
Frequently Asked Questions
What is the severity of GHSA-fvcq-4x64-hqxr?
The GHSA-fvcq-4x64-hqxr vulnerability has a moderate severity level due to the reflected cross-site scripting (XSS) risk.
How do I fix GHSA-fvcq-4x64-hqxr?
To fix GHSA-fvcq-4x64-hqxr, you should upgrade `jupyter-server-proxy` to version 4.2.0 or 3.2.4 or later.
Which versions of jupyter-server-proxy are affected by GHSA-fvcq-4x64-hqxr?
GHSA-fvcq-4x64-hqxr affects versions of `jupyter-server-proxy` from 4.0.0 up to but not including 4.2.0 and 3.0.0 up to but not including 3.2.4.
What type of vulnerability is GHSA-fvcq-4x64-hqxr?
GHSA-fvcq-4x64-hqxr is a reflected cross-site scripting (XSS) vulnerability.
Is GHSA-fvcq-4x64-hqxr exploitable?
Yes, GHSA-fvcq-4x64-hqxr is exploitable if an attacker can craft a request to the vulnerable `/proxy` endpoint with an invalid host.
- agent/weakness
- agent/severity
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/references
- collector/github-advisory
- source/GitHub
- alias/GHSA-fvcq-4x64-hqxr
- alias/CVE-2024-35225
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/tags
- agent/event
- agent/last-modified-date
- agent/description
- collector/github-advisory-latest
- package-manager/pip