CVE-2024-22421 - Vulnerability Details - OpenCVE

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Fedoraproject	Fedora
Jupyter	Jupyterlab Notebook

Configuration 1 [-]

OR	cpe:2.3:a:jupyter:jupyterlab::::::::
	cpe:2.3:a:jupyter:jupyterlab::::::::
	cpe:2.3:a:jupyter:notebook::::::::

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/

History

Tue, 17 Jun 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-19T20:45:49.027Z

Updated: 2025-06-17T21:19:25.169Z

Reserved: 2024-01-10T15:09:55.555Z

Link: CVE-2024-22421

Vulnrichment

Updated: 2025-06-17T21:15:57.364Z

NVD

Status : Modified

Published: 2024-01-19T21:15:09.870

Modified: 2024-11-21T08:56:15.343

Link: CVE-2024-22421

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22421", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-10T15:09:55.555Z", "datePublished": "2024-01-19T20:45:49.027Z", "dateUpdated": "2025-06-17T21:19:25.169Z"}, "containers": {"cna": {"title": "Potential authentication and CSRF tokens leak in JupyterLab", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947"}, {"name": "https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/"}], "affected": [{"vendor": "jupyterlab", "product": "jupyterlab", "versions": [{"version": "< 3.6.7", "status": "affected"}, {"version": ">=4.0.0,< 4.0.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-02T02:06:19.318Z"}, "descriptions": [{"lang": "en", "value": "JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix."}], "source": {"advisory": "GHSA-44cc-43rp-5947", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.929Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947"}, {"name": "https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22421", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-20T22:36:50.768827Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T21:19:25.169Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22421", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-10T15:09:55.555Z", "datePublished": "2024-01-19T20:45:49.027Z", "dateUpdated": "2025-02-13T17:33:45.045Z"}, "containers": {"cna": {"title": "Potential authentication and CSRF tokens leak in JupyterLab", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947"}, {"name": "https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/"}], "affected": [{"vendor": "jupyterlab", "product": "jupyterlab", "versions": [{"version": "< 3.6.7", "status": "affected"}, {"version": ">=4.0.0,< 4.0.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-02T02:06:19.318Z"}, "descriptions": [{"lang": "en", "value": "JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix."}], "source": {"advisory": "GHSA-44cc-43rp-5947", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22421", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-20T22:36:50.768827Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-06-17T21:15:57.364Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*", "matchCriteriaId": "6AB04D05-8A11-4C88-A8BC-654A2A735313", "versionEndExcluding": "3.6.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:jupyter:jupyterlab:*:*:*:*:*:*:*:*", "matchCriteriaId": "98056E64-C6C4-498A-9C3F-67A7F4F11261", "versionEndExcluding": "4.0.11", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:jupyter:notebook:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF4CC1C2-B78B-466A-ACDE-4604DE69D4FD", "versionEndExcluding": "7.0.7", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix."}, {"lang": "es", "value": "JupyterLab es un entorno extensible para inform\u00e1tica interactiva y reproducible, basado en Jupyter Notebook y Architecture. Los usuarios de JupyterLab que hacen clic en un enlace malicioso pueden exponer sus tokens de \"Autorizaci\u00f3n\" y \"XSRFToken\" a un tercero cuando ejecutan una versi\u00f3n anterior de \"jupyter-server\". Las versiones 4.1.0b2, 4.0.11 y 3.6.7 de JupyterLab est\u00e1n parcheadas. No se ha identificado ning\u00fan workaround; sin embargo, los usuarios deben asegurarse de actualizar `jupyter-server` a la versi\u00f3n 2.7.2 o posterior, que incluye una soluci\u00f3n de vulnerabilidad de redireccionamiento."}], "id": "CVE-2024-22421", "lastModified": "2024-11-21T08:56:15.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-19T21:15:09.870", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}, {"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}