Minrk

**Name of the Vulnerable Software and Affected Versions** Jupyter Core versions prior to 5.8.0 **Description** The issue affects Jupyter Core on Windows, where the shared `%PROGRAMDATA%` directory is searched for configuration files, potentially allowing users to create files that impact other users. This is specifically a concern for shared Windows systems with multiple users and an unprotected `%PROGRAMDATA%` directory. **Recommendations** For versions prior to 5.8.0, upgrade to Jupyter Core version 5.8.0 or later. As an administrator, modify the permissions on the `%PROGRAMDATA%` directory to prevent unauthorized write access. As an administrator, create the `%PROGRAMDATA%jupyter` directory with restrictive permissions. As a user or administrator, set the `%PROGRAMDATA%` environment variable to a directory with restrictive permissions, such as one controlled by administrators or the current user.

**Name of the Vulnerable Software and Affected Versions** JupyterHub versions prior to 5.0 OAuthenticator version prior to 16.3.1 **Description** The issue arises from a change in JupyterHub 5.0 where the `allow all` parameter takes precedence over the `identity provider` parameter when using `GlobusOAuthenticator`. This change can cause all users to be allowed to log in, regardless of their `identity provider`, if the configuration allows all users from a particular institution. This is a documented change in JupyterHub 5.0 but may catch many users by surprise. **Recommendations** For JupyterHub versions prior to 5.0, consider upgrading to OAuthenticator 16.3.1 to fix the issue. For OAuthenticator version prior to 16.3.1, do not upgrade to JupyterHub 5.0 when using `GlobusOAuthenticator` in the prior configuration. As a temporary workaround, avoid using the `allow all` parameter in conjunction with the `identity provider` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** nbgitpuller versions prior to 0.10.2 **Description** The issue arises due to unsanitized input, allowing arbitrary code execution in the user environment when visiting maliciously crafted links. **Recommendations** For versions prior to 0.10.2, upgrade to version 0.10.2 or downgrade to 0.8.x to resolve the issue. As a temporary workaround for users who cannot upgrade, there are no available workarounds other than upgrading to 0.10.2 or downgrading to 0.8.x.

**Name of the Vulnerable Software and Affected Versions** oauthenticator versions 0.12.0 through 0.12.1 **Description** The deprecated configuration `Authenticator.whitelist` is ignored by OAuthenticator classes, resulting in all authenticated users being allowed if no group or team restrictions are in place. Provider-based restrictions are not affected. Users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 who use the `admin.whitelist.users` configuration or the `c.Authenticator.whitelist` configuration directly are affected. A log line indicating that `allowed users` is not being used may suggest that a system is affected. **Recommendations** To resolve the issue for oauthenticator versions 0.12.0 through 0.12.1, update oauthenticator to 0.12.2. As a temporary workaround, replace the deprecated `c.Authenticator.whitelist = ...` with `c.Authenticator.allowed users = ...`. If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface. In the jupyterhub helm chart prior to 0.10.6, the workaround can be applied via `hub.extraConfig` by setting `allowedUsers` and configuring `extraConfig` to set the `allowed users` field.

**Name of the Vulnerable Software and Affected Versions** Jupyter Notebook versions prior to 5.7.6 **Description** A cross-site inclusion issue allows malicious pages to include resources when visited by authenticated users of a Jupyter server. This can lead to access of resource content, particularly demonstrated with Internet Explorer, where error messages can reveal the content of invalid JavaScript. **Recommendations** For versions prior to 5.7.6, update to version 5.7.6 or later to resolve the issue.