| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.0 | $0-$5k | 0.00 |
Summary
A vulnerability described as problematic has been identified in Jupyter Server 2.11.2. Affected by this vulnerability is an unknown functionality of the component API. Such manipulation leads to information exposure. This vulnerability is listed as CVE-2023-49080. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is recommended.
Details
A vulnerability, which was classified as problematic, has been found in Jupyter Server 2.11.2. Affected by this issue is an unknown code block of the component API. The manipulation with an unknown input leads to a information exposure vulnerability. Using CWE to declare the problem leads to CWE-209. The product generates an error message that includes sensitive information about its environment, users, or associated data. Impacted is confidentiality. CVE summarizes:
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment. A fix has been introduced in commit `0056c3aa52` which no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty. This commit has been included in version 2.11.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
The weakness was presented 12/05/2023 as GHSA-h56g-gq9v-vc8r. The advisory is available at github.com. This vulnerability is handled as CVE-2023-49080 since 11/21/2023. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.
Upgrading to version 2.11.2 eliminates this vulnerability. Applying the patch 0056c3aa52cbb28b263a7a609ae5f17618b36652 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Product
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.0VulDB Meta Temp Score: 4.0
VulDB Base Score: 4.3
VulDB Temp Score: 4.1
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 4.3
NVD Vector: 🔍
CNA Base Score: 3.5
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Information exposureCWE: CWE-209 / CWE-200 / CWE-284
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Server 2.11.2
Patch: 0056c3aa52cbb28b263a7a609ae5f17618b36652
Timeline
11/21/2023 🔍12/05/2023 🔍
12/05/2023 🔍
12/23/2023 🔍
Sources
Advisory: GHSA-h56g-gq9v-vc8rStatus: Confirmed
CVE: CVE-2023-49080 (🔍)
GCVE (CVE): GCVE-0-2023-49080
GCVE (VulDB): GCVE-100-246818
Entry
Created: 12/05/2023 08:05Updated: 12/23/2023 10:22
Changes: 12/05/2023 08:05 (52), 12/23/2023 10:22 (11)
Complete: 🔍
Cache ID: 216::103
If you want to get best quality of vulnerability data, you may have to visit VulDB.
No comments yet. Languages: en.
Please log in to comment.