Control: severity -1 normal On Tue, Dec 05, 2023 at 11:58:24AM +0100, Salvatore Bonaccorso wrote: > Source: jupyter-server > Version: 1.23.3-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for jupyter-server. > > CVE-2023-49080[0]: > | The Jupyter Server provides the backend (i.e. the core services, > | APIs, and REST endpoints) for Jupyter web applications like Jupyter > | notebook, JupyterLab, and Voila. Unhandled errors in API requests > | coming from an authenticated user include traceback information, > | which can include path information. There is no known mechanism by > | which to trigger these errors without authentication, so the paths > | revealed are not considered particularly sensitive, given that the > | requesting user has arbitrary execution permissions already in the > | same environment. A fix has been introduced in commit `0056c3aa52` > | which no longer includes traceback information in JSON error > | responses. For compatibility, the traceback field is present, but > | always empty. This commit has been included in version 2.11.2. Users > | are advised to upgrade. There are no known workarounds for this > | vulnerability.
As disclosure of path information has not really a security impact in Debian, downgrading the severity further. Regards, Salvatore
