CVE-2022-39286 (High) detected in jupyter_core-4.6.1-py2.py3-none-any.whl

[mend-bolt-for-github]

CVE-2022-39286 - High Severity Vulnerability

Vulnerable Library - jupyter_core-4.6.1-py2.py3-none-any.whl

Jupyter core package. A base package on which Jupyter projects rely.

Library home page: https://files.pythonhosted.org/packages/fb/82/86437f661875e30682e99d04c13ba6c216f86f5f6ca6ef212d3ee8b6ca11/jupyter_core-4.6.1-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• jupyter-1.0.0-py2.py3-none-any.whl (Root Library)
  • nbconvert-5.6.1-py2.py3-none-any.whl
    • ❌ jupyter_core-4.6.1-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in jupyter_core that stems from jupyter_core executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.

Publish Date: 2022-10-26

URL: CVE-2022-39286

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3363

Release Date: 2022-10-26

Fix Resolution: jupyter-core - 4.11.2

---

Step up your Open Source Security Game with Mend here