CVE-2020-26215 (Medium) detected in notebook-5.7.8-py2.py3-none-any.whl

[mend-bolt-for-github]

CVE-2020-26215 - Medium Severity Vulnerability

Vulnerable Library - notebook-5.7.8-py2.py3-none-any.whl

Jupyter Notebook - A web-based notebook environment for interactive computing

Library home page: https://files.pythonhosted.org/packages/f6/36/89ebfffc9dd8c8dbd81c1ffb53e3d4233ee666414c143959477cb07cc5f5/notebook-5.7.8-py2.py3-none-any.whl

Path to dependency file: /ProbStats-with-TFP/requirements.txt

Path to vulnerable library: /teSource-ArchiveExtractor_06502b82-fa31-4507-bcc7-4f2a20df0a9c/20190519121749_57228/20190519121716_depth_0/4/notebook-5.7.8-py2.py3-none-any/notebook/notebook

Dependency Hierarchy:

• ❌ notebook-5.7.8-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5.

Publish Date: 2020-11-18

URL: CVE-2020-26215

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-c7vm-f5p4-8fqh

Release Date: 2020-11-18

Fix Resolution: 5.7.11

---

Step up your Open Source Security Game with Mend here