Vulnerability Description
An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jupyter | Jupyterhub | < 0.9.5 |
| Jupyter | Notebook | < 5.7.7 |
Related Weaknesses (CWE)
References
- https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43Vendor Advisory
- https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f97PatchThird Party Advisory
- https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b9PatchThird Party Advisory
- https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029aPatchThird Party Advisory
- https://github.com/jupyter/notebook/compare/05aa4b2...16cf97cPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43Vendor Advisory
- https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f97PatchThird Party Advisory
- https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b9PatchThird Party Advisory
- https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029aPatchThird Party Advisory
- https://github.com/jupyter/notebook/compare/05aa4b2...16cf97cPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2019-10255?
CVE-2019-10255 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redir...
How severe is CVE-2019-10255?
CVE-2019-10255 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10255?
Check the references section above for vendor advisories and patch information. Affected products include: Jupyter Jupyterhub, Jupyter Notebook.