UBUNTU-CVE-2024-28233

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2024-28233
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-28233.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-28233
Related
Published
2024-03-27T19:15:00Z
Modified
2024-10-15T14:14:09Z
Summary
[none]
Details

JupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user's single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. This vulnerability is fixed in 4.1.0.

References

Affected packages

Ubuntu:22.04:LTS / jupyterhub

Package

Name
jupyterhub
Purl
pkg:deb/ubuntu/jupyterhub?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.0+ds1-1
2.0.0+ds1-2

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / jupyterhub

Package

Name
jupyterhub
Purl
pkg:deb/ubuntu/jupyterhub?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0+ds1-1

5.*

5.0.0+ds1-3

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / jupyterhub

Package

Name
jupyterhub
Purl
pkg:deb/ubuntu/jupyterhub?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0+ds1-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}