Exposure of Sensitive Information to an Unauthorized Actor

Summary

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their "Authorization" and "XSRFToken" tokens exposed to a third party when running an older "jupyter-server" version. No workaround has been identified, however, users should ensure to upgrade "jupyter-server" which includes a redirect vulnerability fix. This issue affects versions jupyterlab versions through 3.6.6, and 4.0.0a0 through 4.0.10, and notebook versions 7.0.0a1 through 7.0.6 and @jupyterlab/services versions 1.1.0 through 6.6.6, 7.0.0-alpha.1 through 7.0.10 and 7.1.0-alpha.1 through 7.1.0-beta.1, @jupyterlab/apputils-extension 3.1.0-beta.2 through 3.6.6, 4.0.0-alpha.1 through 4.0.10 and 4.1.0-alpha.1 through 4.1.0-beta.1, @jupyterlab/translation 3.0.0-alpha.8 through 3.6.6, 4.0.0-alpha.1 through 4.0.10 and 4.1.0-alpha.1 through 4.1.0-beta.1 and @jupyterlab/hub-extension versions 1.0.0-alpha.9 through 3.6.6 and 4.0.0-alpha.1 through 4.0.10 and 4.1.0-alpha.1 through 4.1.0-beta.1.