CVE-2024-22421: 
Python vulnerability analysis and mitigation

JupyterLab, an extensible environment for interactive and reproducible computing based on the Jupyter Notebook and Architecture, was found to contain a security vulnerability identified as CVE-2024-22421. The vulnerability was discovered and disclosed in January 2024, affecting JupyterLab versions prior to 4.0.11, 3.6.7, and 4.1.0b2. When users click on a malicious link while running an older jupyter-server version, their Authorization and XSRFToken tokens could potentially be exposed to unauthorized third parties (GitHub Advisory).

The vulnerability was assigned a CVSS v3.1 base score of 7.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L. The issue is classified under CWE-23 (Relative Path Traversal) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability specifically involves the potential exposure of authentication and CSRF tokens when a user interacts with maliciously crafted links (NVD).

If exploited, this vulnerability could lead to the exposure of sensitive authentication tokens (Authorization) and CSRF protection tokens (XSRFToken) to unauthorized third parties. This exposure could potentially allow attackers to hijack user sessions or bypass CSRF protections (GitHub Advisory).

The vulnerability has been patched in JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7. While no direct workaround has been identified, users are strongly advised to upgrade their jupyter-server to version 2.7.2 or newer, which includes a fix for the redirect vulnerability. The fix has also been incorporated into various distribution packages, including Fedora 39 (Fedora Update).

The vulnerability was reported through the European Commission's bug bounty program hosted on the Intigriti platform by user @davwwwx (GitHub Advisory).