CVE-2024-22421
JupyterLab vulnerable to potential authentication and CSRF tokens leak
Description
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix.
How to fix CVE-2024-22421
To remediate CVE-2024-22421, upgrade the affected package to a fixed version below.
- —upgrade to 7.0.7 or later
- —upgrade to 3.6.7 or later
- —upgrade to 7.0.7 or later
- —upgrade to 4.0.11+ds1-1 or later
- —upgrade to 4.0.11 or later
- —upgrade to 7.0.7 or later
Is CVE-2024-22421 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 7.0.0, < 7.0.7
- from 0, < 3.6.7, >= 4.0.0, < 4.0.11
- >= 7.0.0, < 7.0.7
- from 0, < 4.0.11+ds1-1
- >= 4.0.0, < 4.0.11
- >= 7.0.0, < 7.0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L |