6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-39968

GHSA ID

GHSA-r726-vmfq-j9j3

EPSS Score

0.59633%

CWE

CWE-601

Published

8/29/2023

Updated

9/24/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-39968

CVE-2023-39968: Open Redirect Vulnerability in jupyter-server

Impact

Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.

Patches

Upgrade to Jupyter Server 2.7.2

Workarounds

None.

References

Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak/

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-39968

CVE-2023-39968:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-39968

GHSA ID

GHSA-r726-vmfq-j9j3

EPSS Score

0.59633%

CWE

CWE-601

Published

8/29/2023

Updated

9/24/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jupyter-server	pip	< 2.7.2	2.7.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows critical modifications to _redirect_safe in login.py. The original code only checked parsed.netloc, while the patched version adds checks for parsed.scheme and modifies URL normalization. The vulnerability allowed crafted URLs with schemes but empty netloc (e.g., 'https:///evil.com') to bypass redirect restrictions. The added test case 'https:///a%40b/extra/slash' in test_login.py demonstrates the attack vector. The function's role in processing redirect URLs and the specific validation logic changes confirm its vulnerability to CWE-601.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-39968: Open Redirect Vulnerability in jupyter-server

Impact

Patches

Workarounds

References

CVE-2023-39968:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.1

6.1

Technical Details

Basic Information

Basic Information

CVE-2023-39968: Open Redirect Vulnerability in jupyter-server

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI