Impact
Users of JupyterLab who click on a malicious link may get their Authorization
and XSRFToken
tokens exposed to a third party when running an older jupyter-server
version.
Patches
JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.
Workarounds
No workaround has been identified, however users should ensure to upgrade jupyter-server
to version 2.7.2 or newer which includes a redirect vulnerability fix.
References
Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
Impact
Users of JupyterLab who click on a malicious link may get their
Authorization
andXSRFToken
tokens exposed to a third party when running an olderjupyter-server
version.Patches
JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.
Workarounds
No workaround has been identified, however users should ensure to upgrade
jupyter-server
to version 2.7.2 or newer which includes a redirect vulnerability fix.References
Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.