Skip to main content

Exposure of Sensitive Information to an Unauthorized Actor


Severity Medium
Score 6.5/10


JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their "Authorization" and "XSRFToken" tokens exposed to a third party when running an older "jupyter-server" version. No workaround has been identified, however, users should ensure to upgrade "jupyter-server" which includes a redirect vulnerability fix. This issue affects versions jupyterlab versions through 3.6.6, and 4.0.0a0 through 4.0.10, and notebook versions 7.0.0a1 through 7.0.6 and @jupyterlab/services versions 1.1.0 through 6.6.6, 7.0.0-alpha.1 through 7.0.10 and 7.1.0-alpha.1 through 7.1.0-beta.1, @jupyterlab/apputils-extension 3.1.0-beta.2 through 3.6.6, 4.0.0-alpha.1 through 4.0.10 and 4.1.0-alpha.1 through 4.1.0-beta.1, @jupyterlab/translation 3.0.0-alpha.8 through 3.6.6, 4.0.0-alpha.1 through 4.0.10 and 4.1.0-alpha.1 through 4.1.0-beta.1 and @jupyterlab/hub-extension versions 1.0.0-alpha.9 through 3.6.6 and 4.0.0-alpha.1 through 4.0.10 and 4.1.0-alpha.1 through 4.1.0-beta.1.

  • LOW
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-200 - Information Exposure

An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.


Advisory Timeline

  • Published