CVE-2023-40170 Information

Description

jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on /files/ URLs could allow exposure of certain file contents or accessing files when opening untrusted files via \Open image in new tab. This issue has been addressed in commit 87a49272728 which has been included in release 2.7.2. Users are advised to upgrade. Users unable to upgrade may use the lower performance --ContentsManager.files_handler_class=jupyter_server.files.handlers.FilesHandler which implements the correct checks.

Reference

https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd