Impact
Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version.
Patches
JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.
Workarounds
No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.
References
Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.
Impact
Users of JupyterLab who click on a malicious link may get their
AuthorizationandXSRFTokentokens exposed to a third party when running an olderjupyter-serverversion.Patches
JupyterLab 4.1.0b2, 4.0.11, and 3.6.7 were patched.
Workarounds
No workaround has been identified, however users should ensure to upgrade
jupyter-serverto version 2.7.2 or newer which includes a redirect vulnerability fix.References
Vulnerability reported by user @davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.