CVE-2020-26275

Advisory

Jupyter-server 1.1.1 includes a fix for CVE-2020-26275: In Jupyter Server before version 1.1.1, an open redirect vulnerability could cause the jupyter server to redirect the browser to a different malicious website. All jupyter servers running without a base_url prefix are technically affected, however, these maliciously crafted links can only be reasonably made by known jupyter server hosts. A link to your jupyter server may *appear* safe, but ultimately redirect to a spoofed server on the public internet. This same vulnerability was patched in upstream notebook v5.7.8. If upgrade is not available, a workaround can be to run your server on a url prefix: "jupyter server --ServerApp.base_url=/jupyter/".

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26275
• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-9f66-54xg-pc2c
• https://pypi.org/project/jupyter-server/
• https://github.com/jupyter-server/jupyter_server/commit/85e4abccf6ea9321d29153f73b0bd72ccb3a6bca
• https://advisory.checkmarx.net/advisory/CX-2020-4291