CVE-2022-21697 Information

Description

Jupyter Server Proxy is a Jupyter notebook server extension to proxy web services. Versions of Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts bypassing the allowed_hosts check. Because authentication is required which already grants permissions to make the same requests via kernel or terminal execution this is considered low to moderate severity. Users may upgrade to version 3.2.1 to receive a patch or as a workaround install the patch manually.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Reference

https://github.com/jupyterhub/jupyter-server-proxy/compare/v3.2.0…v3.2.1.patch https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-gcv9-6737-pjqw https://github.com/jupyterhub/jupyter-server-proxy/commit/fd31930bacd12188c448c886e0783529436b99eb

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

LOW

Base Score

NONE

Base Severity

7.1