GHSA-fvcq-4x64-hqxr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fvcq-4x64-hqxr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-fvcq-4x64-hqxr/GHSA-fvcq-4x64-hqxr.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-fvcq-4x64-hqxr
- Aliases
- Related
- Published
- 2024-06-11T21:12:47Z
- Modified
- 2024-06-12T19:31:36.859659Z
- Severity
-
- 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Jupyter Server Proxy has a reflected XSS issue in host parameter
- Details
-
Impact
There is a reflected cross-site scripting (XSS) issue in
jupyter-server-proxy[1]. The/proxyendpoint accepts ahostpath segment in the format/proxy/<host>. When this endpoint is called with an invalidhostvalue,jupyter-server-proxyreplies with a response that includes the value ofhost, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalidhostvalue containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response ofGET /proxy/<host>, which runs the custom JavaScript contained inhostset by the actor. As any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. This issue exists in the latest release ofjupyter-server-proxy, currentlyv4.1.2. Impacted versions:>=3.0.0,<=4.1.2Patches
The patches are included in
==4.2.0and==3.2.4.Workarounds
Server operators who are unable to upgrade can disable the
jupyter-server-proxyextension with:jupyter server extension disable jupyter-server-proxyReferences
[1] : https://github.com/jupyterhub/jupyter-server-proxy/ [2] : https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyterserverproxy/handlers.py#L328
- Database specific
{ "nvd_published_at": "2024-06-11T22:15:09Z", "cwe_ids": [ "CWE-116", "CWE-79" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-06-11T21:12:47Z" }- References
-
- https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr
- https://nvd.nist.gov/vuln/detail/CVE-2024-35225
- https://github.com/jupyterhub/jupyter-server-proxy/commit/7abc9dc5bbb0b4b440548a5375261b8b8192fc22
- https://github.com/jupyterhub/jupyter-server-proxy/commit/ff78128087e73fb9d0909e1366f8bf051e8ea878
- https://github.com/jupyterhub/jupyter-server-proxy
- https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328
Affected packages
PyPI / jupyter-server-proxy
Package
- Name
- jupyter-server-proxy
- View open source insights on deps.dev
- Purl
- pkg:pypi/jupyter-server-proxy
PyPI / jupyter-server-proxy
Package
- Name
- jupyter-server-proxy
- View open source insights on deps.dev
- Purl
- pkg:pypi/jupyter-server-proxy