ghsa-fvcq-4x64-hqxr
Vulnerability from github
Impact
There is a reflected cross-site scripting (XSS) issue in jupyter-server-proxy[1]. The /proxy endpoint accepts a host path segment in the format /proxy/<host>. When this endpoint is called with an invalid host value, jupyter-server-proxy replies with a response that includes the value of host, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid host value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of GET /proxy/<host>, which runs the custom JavaScript contained in host set by the actor.
As any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. This issue exists in the latest release of jupyter-server-proxy, currently v4.1.2.
Impacted versions: >=3.0.0,<=4.1.2
Patches
The patches are included in ==4.2.0 and ==3.2.4.
Workarounds
Server operators who are unable to upgrade can disable the jupyter-server-proxy extension with:
jupyter server extension disable jupyter-server-proxy
References
[1] : https://github.com/jupyterhub/jupyter-server-proxy/ [2] : https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328
{ affected: [ { package: { ecosystem: "PyPI", name: "jupyter-server-proxy", }, ranges: [ { events: [ { introduced: "3.0.0", }, { fixed: "3.2.4", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "PyPI", name: "jupyter-server-proxy", }, ranges: [ { events: [ { introduced: "4.0.0", }, { fixed: "4.2.0", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2024-35225", ], database_specific: { cwe_ids: [ "CWE-116", "CWE-79", ], github_reviewed: true, github_reviewed_at: "2024-06-11T21:12:47Z", nvd_published_at: "2024-06-11T22:15:09Z", severity: "CRITICAL", }, details: "### Impact\n\nThere is a reflected cross-site scripting (XSS) issue in `jupyter-server-proxy`[1]. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/<host>`. When this endpoint is called with an invalid `host` value, `jupyter-server-proxy` replies with a response that includes the value of `host`, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid `host` value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of `GET /proxy/<host>`, which runs the custom JavaScript contained in `host` set by the actor.\nAs any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. This issue exists in the latest release of `jupyter-server-proxy`, currently `v4.1.2`.\n**Impacted versions:** `>=3.0.0,<=4.1.2`\n\n### Patches\n\nThe patches are included in `==4.2.0` and `==3.2.4`.\n\n### Workarounds\n\nServer operators who are unable to upgrade can disable the `jupyter-server-proxy` extension with:\n\n```\njupyter server extension disable jupyter-server-proxy\n```\n\n### References\n\n[1] : https://github.com/jupyterhub/jupyter-server-proxy/\n[2] : https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328", id: "GHSA-fvcq-4x64-hqxr", modified: "2025-02-28T17:38:13Z", published: "2024-06-11T21:12:47Z", references: [ { type: "WEB", url: "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-35225", }, { type: "WEB", url: "https://github.com/jupyterhub/jupyter-server-proxy/commit/7abc9dc5bbb0b4b440548a5375261b8b8192fc22", }, { type: "WEB", url: "https://github.com/jupyterhub/jupyter-server-proxy/commit/ff78128087e73fb9d0909e1366f8bf051e8ea878", }, { type: "PACKAGE", url: "https://github.com/jupyterhub/jupyter-server-proxy", }, { type: "WEB", url: "https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328", }, { type: "WEB", url: "https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server-proxy/PYSEC-2024-236.yaml", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", type: "CVSS_V3", }, ], summary: "Jupyter Server Proxy has a reflected XSS issue in host parameter", }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.