Latest Jupyter Vulnerabilities

CVE-2024-22421
Potential authentication and CSRF tokens leak in JupyterLab
pip/notebook>=7.0.0<=7.0.6
pip/jupyterlab<=3.6.6
pip/jupyterlab>=4.0.0<=4.0.10
Jupyter Jupyterlab<3.6.7
Jupyter Jupyterlab>=4.0.0<4.0.11
Jupyter Notebook>=7.0.0<7.0.7
and 1 more
CVE-2024-22420
Stored cross site scripting in Markdown Preview in JupyterLab
Jupyter Jupyterlab>=4.0.0<4.0.11
Jupyter Notebook>=7.0.0<7.0.7
pip/notebook>=7.0.0<=7.0.6
pip/jupyterlab>=4.0.0<=4.0.10
Fedoraproject Fedora=39
CVE-2024-22415
Unsecured endpoints in the jupyter-lsp server extension
pip/jupyter-lsp<=2.2.1
Jupyter Language Server Protocol Integration<2.2.2
CVE-2023-48311
Any image allowed by default
Jupyter Dockerspawner>=0.11.0<13.0
pip/dockerspawner>=0.11.0<13.0.0
CVE-2023-49080
Jupyter Server errors include tracebacks with path information
pip/jupyter-server<2.11.2
Jupyter Jupyter Server<2.11.2
CVE-2023-39968
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in ses...
Jupyter Jupyter Server<2.7.2
CVE-2023-40170
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untru...
Jupyter Jupyter Server<2.7.2
CVE-2022-39286
### Impact _What kind of vulnerability is it? Who is impacted?_ We’d like to disclose an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted fil...
Jupyter Jupyter Core<4.11.2
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=36
Fedoraproject Fedora=37
pip/jupyter-core<4.11.2
and 1 more
CVE-2021-32862
Most of the fixes will be in this repo, though, so having it here gives us the private fork to work on patches Below is currently a duplicate of the original report: ---- Received on security@ipyth...
Jupyter Nbconvert<=6.2.0
Debian Debian Linux=10.0
pip/nbconvert<6.5.1
<=6.2.0
=10.0
CVE-2022-29241
Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version 1.17.1, if notebook server is started with a...
Jupyter Jupyter Server<1.17.0
pip/jupyter-server=2.0.0a0
pip/jupyter-server>=0<1.17.1
CVE-2022-31027
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is pr...
Jupyter Oauthenticator<15.0.0
CVE-2022-24758
The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error i...
Jupyter Notebook<6.4.10
IBM Cognos Analytics 11.2.x<=IBM Cognos Analytics 11.2.x
IBM Cognos Analytics 11.1.x<=IBM Cognos Analytics 11.1.x
CVE-2022-24757
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications. Prior to version 1.15.4, unauthorized actors can access sensitive information f...
Jupyter Jupyter Server<1.15.4
CVE-2022-21697
Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploy...
Jupyter Jupyter Server Proxy<3.2.1
CVE-2021-41247
JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the ...
Jupyter Jupyterhub>=1.0.0<1.5.0
CVE-2021-41134
nbdime provides tools for diffing and merging of Jupyter Notebooks. In affected versions a stored cross-site scripting (XSS) issue exists within the Jupyter-owned nbdime project. It appears that when ...
Jupyter Nbdime>=1.0.0<1.1.1
Jupyter Nbdime>=2.0.0<2.1.1
Jupyter Nbdime>=3.0.0<=3.1.1
Jupyter Nbdime>=5.0.0<5.0.2
Jupyter Nbdime>=6.0.0<6.1.2
Jupyter Nbdime-jupyterlab>=1.0.0<1.0.1
and 1 more
CVE-2021-39159
BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerabil...
pip/binderhub<0.2.0
Jupyter Binderhub<0.2.0-n653
CVE-2021-32798
The Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Goog...
Jupyter Notebook>=5.7.0<5.7.11
Jupyter Notebook=6.4.0
CVE-2020-36191
JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
Jupyter Jupyterhub=1.1.0
CVE-2020-26275
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. In Jupyter Server before version 1...
Jupyter Jupyter Server<1.1.1
CVE-2020-26250
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which sh...
Jupyter Oauthenticator>=0.12.0<0.12.2
CVE-2020-26232
Jupyter Server before version 1.0.6 has an Open redirect vulnerability. A maliciously crafted link to a jupyter server could redirect the browser to a different website. All jupyter servers are techni...
Jupyter Jupyter Server<1.0.6
CVE-2020-26215
Jupyter Notebook could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially-crafted URL to redi...
Jupyter Notebook<6.1.5
Debian Debian Linux=9.0
CVE-2018-21030
Jupyter Notebook<5.5.0
CVE-2019-10856
In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255.
Jupyter Notebook<5.7.8
CVE-2019-10255
An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.8 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.6 allows crafted links to the login page, which will redir...
Jupyter Jupyterhub<0.9.5
Jupyter Notebook<5.7.7
CVE-2019-9644
An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access...
Jupyter Notebook<5.7.6
CVE-2018-19351
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can ex...
pip/notebook<5.7.1
Jupyter Notebook<5.7.1
CVE-2018-19352
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js handles certain URLs unsafely.
Jupyter Notebook<5.7.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203