Source: jupyter-server Version: 1.23.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: fixed -1 2.9.1-1
Hi, The following vulnerability was published for jupyter-server. CVE-2023-40170[0]: | jupyter-server is the backend for Jupyter web applications. Improper | cross-site credential checks on `/files/` URLs could allow exposure | of certain file contents, or accessing files when opening untrusted | files via "Open image in new tab". This issue has been addressed in | commit `87a49272728` which has been included in release `2.7.2`. | Users are advised to upgrade. Users unable to upgrade may use the | lower performance `-- | ContentsManager.files_handler_class=jupyter_server.files.handlers.Fi | lesHandler`, which implements the correct checks. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40170 https://www.cve.org/CVERecord?id=CVE-2023-40170 [1] https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 [2] https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd Regards, Salvatore