CVE-2023-40170

Summary

CVE-2023-40170 is a vulnerability affecting jupyter-server, the backend for Jupyter web applications. It is caused by improper cross-site credential checks on `/files/` URLs, which could potentially expose certain file contents or allow unauthorized access to files when opening untrusted files via "Open image in new tab". The vulnerability has been addressed in commit `87a49272728` included in release `2.7.2`. Users are advised to upgrade to this version. Alternatively, users who are unable to upgrade can use the lower performance option `--ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler`, which implements the correct checks. The vulnerability poses a medium risk with a base score of 4.6 and has low impact on integrity and confidentiality.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.