CVE-2023-40170

Name of the Vulnerable Software and Affected Versions jupyter-server versions prior to 2.7.2

Description The issue is related to improper cross-site credential checks on /files/ URLs, which could allow exposure of certain file contents or accessing files when opening untrusted files via "Open image in new tab".

Recommendations For versions prior to 2.7.2, upgrade to version 2.7.2 to resolve the issue. As a temporary workaround for users unable to upgrade, use the lower performance --ContentsManager.files handler class=jupyter server.files.handlers.FilesHandler, which implements the correct checks.