Description
An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in JupyterHub before 0.9.5 allows crafted links to the login page, which will redirect to a malicious site after successful login. Servers running on a base_url prefix are not affected.
References (7)
Core 7
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyter/notebook/commit/d65328d4841892b412aef9015165db1eb029a8ed
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913b
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyter/notebook/compare/05aa4b2...16cf97c
Vendor Advisory x_refsource_misc
https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/
Scores
CVSS v3
6.1
EPSS
0.0046
EPSS Percentile
64.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-601
Status
published
Products (4)
jupyter/jupyterhub
< 0.9.5
jupyter/notebook
< 5.7.7
pypi/jupyterhub
0 - 0.9.6PyPI
pypi/notebook
0 - 5.7.8PyPI
Published
Mar 28, 2019
Tracked Since
Feb 18, 2026