What is CVE-2023-40170?

CVE-2023-40170 is a medium-severity vulnerability in Jupyter-server Jupyter_server, classified under Improper Access Control. CVSS score: 4.6/10. Published 2023-08-28.

How severe is CVE-2023-40170?

Medium severity. CVSS v3 base score is 4.6 out of 10.

Auth bypass in Jupyter-server Jupyter_server

CVE-2023-40170

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab"…

EPSS: 0.007 (72.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.6 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N.

Affected products

Jupyter-server Jupyter_server — versions < 2.7.2

Weakness classification (CWE)

CWE-284 — Improper Access Control
CWE-306 — Missing Authentication for Critical Function

References

https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 (x_refsource_CONFIRM)
https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd (x_refsource_MISC)
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/…

Frequently asked questions

What is CVE-2023-40170?: CVE-2023-40170 is a medium-severity vulnerability in Jupyter-server Jupyter_server, classified under Improper Access Control. CVSS score: 4.6/10. Published 2023-08-28.
How severe is CVE-2023-40170?: Medium severity. CVSS v3 base score is 4.6 out of 10.