CVE-2022-21697

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-21697

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-21697.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-21697

Aliases

Related

GHSA-gcv9-6737-pjqw

Published

2022-01-25T14:15:08Z

Modified

2025-01-08T14:02:40.239330Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

[none]

Details

Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the allowed_hosts check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.

References

Affected packages

Git / github.com/jupyterhub/jupyter-server-proxy

Affected ranges

Type: GIT
Repo: https://github.com/jupyterhub/jupyter-server-proxy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fd31930bacd12188c448c886e0783529436b99eb

Fixed

fd31930bacd12188c448c886e0783529436b99eb

Affected versions

v0.*

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.5.0

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v0.8.7

v0.8.8

v1.*

v1.0.0

v1.0.1

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.5.0

v1.5.2

v1.5.3

v1.6.0

v3.*

v3.0.0

v3.0.0-rc.1

v3.0.1

v3.0.2

v3.1.0

v3.2.0