pysec-2022-16
Vulnerability from pysec
Published
2022-01-25 14:15
Modified
2022-02-01 17:37
Details

Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the allowed_hosts check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.

Aliases


To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server-proxy",
        "purl": "pkg:pypi/jupyter-server-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "fd31930bacd12188c448c886e0783529436b99eb"
            }
          ],
          "repo": "https://github.com/jupyterhub/jupyter-server-proxy",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0",
        "1.0.1",
        "1.0b1",
        "1.0b2",
        "1.0b4",
        "1.0b5",
        "1.0b6",
        "1.0b7",
        "1.0b8",
        "1.0b9",
        "1.1.0",
        "1.2.0",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.4.0",
        "1.5.0",
        "1.5.2",
        "1.5.3",
        "1.6.0",
        "3.0.0",
        "3.0.0rc1",
        "3.0.1",
        "3.0.2",
        "3.1.0",
        "3.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21697",
    "GHSA-gcv9-6737-pjqw"
  ],
  "details": "Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the `allowed_hosts` check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.",
  "id": "PYSEC-2022-16",
  "modified": "2022-02-01T17:37:55.179786Z",
  "published": "2022-01-25T14:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/compare/v3.2.0...v3.2.1.patch"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-gcv9-6737-pjqw"
    },
    {
      "type": "FIX",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/fd31930bacd12188c448c886e0783529436b99eb"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.