CVE-2024-28233

NameCVE-2024-28233
DescriptionJupyterHub is an open source multi-user server for Jupyter notebooks. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve full access to JupyterHub API and user's single-user server. The affected configurations are single-origin JupyterHub deployments and JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. This vulnerability is fixed in 4.1.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1070388

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jupyterhub (PTS)bookworm3.0.0+ds1-1vulnerable
sid, trixie5.0.0+ds1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jupyterhubsource(unstable)5.0.0+ds1-11070388

Notes

[bookworm] - jupyterhub <no-dsa> (Minor issue)
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g
https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f

Search for package or bug name: Reporting problems