CVE-2022-39286

HIGH

Jupyter Core <4.11.2 - Code Injection

Title source: llm

Description

Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.

References (7)

[Patch, Third Party Advisory] https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283

View Patch ZIP pw:eip

[Third Party Advisory] https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/11/msg00022.html

[Third Party Advisory] https://security.gentoo.org/glsa/202301-04

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KKMP5OXXIX2QAUNVNJZ5UEQFKDYYJVBA/

[Third Party Advisory] https://www.debian.org/security/2023/dsa-5422

Scores

CVSS v3 8.8

EPSS 0.0033

EPSS Percentile 55.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-269 CWE-427 CWE-250

Status published

Products (6)

debian/debian_linux 10.0

debian/debian_linux 11.0

fedoraproject/fedora 36

fedoraproject/fedora 37

jupyter/jupyter_core < 4.11.2

pypi/jupyter-core 0 - 4.11.2PyPI

Published Oct 26, 2022

Tracked Since Feb 18, 2026