PYSEC-2022-16

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-server-proxy/PYSEC-2022-16.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2022-16

Aliases

Published

2022-01-25T14:15:00Z

Modified

2023-11-01T04:57:41.932341Z

Summary

[none]

Details

Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the allowed_hosts check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.

References

Affected packages

PyPI / jupyter-server-proxy

Package

Name: jupyter-server-proxy; View open source insights on deps.dev
Purl: pkg:pypi/jupyter-server-proxy

Affected ranges

Type: GIT
Repo: https://github.com/jupyterhub/jupyter-server-proxy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fd31930bacd12188c448c886e0783529436b99eb

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.1

Affected versions

1.*

1.0b1

1.0b2

1.0b4

1.0b5

1.0b6

1.0b7

1.0b8

1.0b9

1.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0

1.5.2

1.5.3

1.6.0

3.*

3.0.0rc1

3.0.0

3.0.1

3.0.2

3.1.0

3.2.0