Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-39286

Published: 26 October 2022

Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.

Priority

Medium

Cvss 3 Severity Score

8.8

Score breakdown

Status

Package Release Status
jupyter-core
Launchpad, Ubuntu, Debian
focal
Released (4.6.3-3ubuntu0.1~esm1)
Available with Ubuntu Pro
jammy
Released (4.9.1-1ubuntu0.1~esm1)
Available with Ubuntu Pro
lunar Not vulnerable
(4.11.2-1)
upstream
Released (4.11.2)
bionic
Released (4.4.0-2ubuntu0.1~esm1)
Available with Ubuntu Pro
kinetic
Released (4.11.1-1ubuntu0.22.10.1)
trusty Ignored
(end of standard support, was needed)
xenial Ignored
(end of standard support, was needed)
Patches:
upstream: https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283

Severity score breakdown

Parameter Value
Base score 8.8
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H