CVE-2019-10255

Description

An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.

CVSS Metrics

• v3.0•MEDIUM•Score: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
• v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.46%• Percentile: 65%

Techniques & Countermeasures

• CWE-601•URL Redirection to Untrusted Site ('Open Redirect')

  The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Affected Systems

• jupyter•jupyterhub

  < 0.9.5

• jupyter•notebook

  < 5.7.7

• PyPI•jupyterhub

  < 0.9.6

• PyPI•notebook

  < 5.7.8

References (12)

• https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029a8ed
• https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb
• https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913b
• https://github.com/jupyter/notebook/compare/05aa4b2...16cf97c
• https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/
• https://nvd.nist.gov/vuln/detail/CVE-2019-10255
• https://github.com/advisories/GHSA-rv62-4pmj-xw6h
• https://github.com/jupyter/notebook
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO