We use cookies to improve your experience on our site.
AVID-2026-R1272
Description
Open Redirect Vulnerability in jupyter-server (CVE-2023-39968)
Details
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs. This issue has been addressed in commit 29036259 which is included in release 2.7.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Reason for inclusion in AVID: CVE-2023-39968 describes an open redirect vulnerability in jupyter-server, a core component used in Jupyter notebooks and widely employed in AI workflows. This is a software vulnerability affecting a component that is commonly part of AI pipelines (data prep, experimentation, model development, deployment tools). Therefore it is relevant to AI systems and their software supply chain (dependencies/runtimes for AI workloads); it is a security vulnerability with an upgrade path provided by the CVE. The evidence in the description and references supports its classification as a software security issue in a component used in AI stacks.
References
- NVD entry
- https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3
- https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ/
Affected or Relevant Artifacts
- Developer: jupyter-server
- Deployer: jupyter-server
- Artifact Details:
| Type | Name |
|---|---|
| System | jupyter_server |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
| Base Score | 4.3 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-601 | CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-08-28
- Version: 0.3.3
- AVID Entry