{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2022-39286","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","dateUpdated":"2025-04-23T16:43:15.864Z","dateReserved":"2022-09-02T00:00:00.000Z","datePublished":"2022-10-26T00:00:00.000Z"},"containers":{"cna":{"title":"Execution with Unnecessary Privileges in JupyterApp","providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-06-09T00:00:00.000Z"},"descriptions":[{"lang":"en","value":"Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds."}],"affected":[{"vendor":"jupyter","product":"jupyter_core","versions":[{"version":"< 4.11.2","status":"affected"}]}],"references":[{"url":"https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp"},{"url":"https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283"},{"name":"[debian-lts-announce] 20221117 [SECURITY] [DLA 3195-1] jupyter-core security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00022.html"},{"name":"GLSA-202301-04","tags":["vendor-advisory"],"url":"https://security.gentoo.org/glsa/202301-04"},{"name":"FEDORA-2023-de87bd076b","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN/"},{"name":"FEDORA-2023-d966145959","tags":["vendor-advisory"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KKMP5OXXIX2QAUNVNJZ5UEQFKDYYJVBA/"},{"name":"DSA-5422","tags":["vendor-advisory"],"url":"https://www.debian.org/security/2023/dsa-5422"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-269: Improper Privilege Management","cweId":"CWE-269"}]},{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-250: Execution with Unnecessary Privileges","cweId":"CWE-250"}]}],"source":{"advisory":"GHSA-m678-f26j-3hrp","discovery":"UNKNOWN"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-03T12:00:43.783Z"},"title":"CVE Program Container","references":[{"url":"https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp","tags":["x_transferred"]},{"url":"https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283","tags":["x_transferred"]},{"name":"[debian-lts-announce] 20221117 [SECURITY] [DLA 3195-1] jupyter-core security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00022.html"},{"name":"GLSA-202301-04","tags":["vendor-advisory","x_transferred"],"url":"https://security.gentoo.org/glsa/202301-04"},{"name":"FEDORA-2023-de87bd076b","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN/"},{"name":"FEDORA-2023-d966145959","tags":["vendor-advisory","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KKMP5OXXIX2QAUNVNJZ5UEQFKDYYJVBA/"},{"name":"DSA-5422","tags":["vendor-advisory","x_transferred"],"url":"https://www.debian.org/security/2023/dsa-5422"}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-04-23T15:47:29.874045Z","id":"CVE-2022-39286","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-04-23T16:43:15.864Z"}}]}}