cross-site inclusion (XSSI) of files in jupyter-server

GHSA-64x5-55rw-9974 · CVE-2023-40170 · PYSEC-2023-157

Published Aug 29, 2023 · Modified Feb 4, 2026

Description

Impact

Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab".

Patches

Jupyter Server 2.7.2

Workarounds

Use lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler, which implements the correct checks.

References

Upstream patch for CVE-2019-9644 was not applied completely, leaving part of the vulnerability open.

Vulnerability reported by Tim Coen via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

References

WEB https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-40170
WEB https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd
PACKAGE https://github.com/jupyter-server/jupyter_server
WEB https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2023-157.yaml
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes