PYSEC-2022-16

Vulnerability from pysec - Published: 2022-01-25 14:15 - Updated: 2022-02-01 17:37
VLAI?
Details

Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the allowed_hosts check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.

Impacted products
Name purl
jupyter-server-proxy pkg:pypi/jupyter-server-proxy
Aliases
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server-proxy",
        "purl": "pkg:pypi/jupyter-server-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "fd31930bacd12188c448c886e0783529436b99eb"
            }
          ],
          "repo": "https://github.com/jupyterhub/jupyter-server-proxy",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0",
        "1.0.1",
        "1.0b1",
        "1.0b2",
        "1.0b4",
        "1.0b5",
        "1.0b6",
        "1.0b7",
        "1.0b8",
        "1.0b9",
        "1.1.0",
        "1.2.0",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.4.0",
        "1.5.0",
        "1.5.2",
        "1.5.3",
        "1.6.0",
        "3.0.0",
        "3.0.0rc1",
        "3.0.1",
        "3.0.2",
        "3.1.0",
        "3.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-21697",
    "GHSA-gcv9-6737-pjqw"
  ],
  "details": "Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the `allowed_hosts` check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or, as a workaround, install the patch manually.",
  "id": "PYSEC-2022-16",
  "modified": "2022-02-01T17:37:55.179786Z",
  "published": "2022-01-25T14:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/compare/v3.2.0...v3.2.1.patch"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-gcv9-6737-pjqw"
    },
    {
      "type": "FIX",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/fd31930bacd12188c448c886e0783529436b99eb"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.