Bug 2484037 (CVE-2026-5422)
| Summary: | CVE-2026-5422 jupyter-server: jupyter-server: Sensitive data exposure via path traversal vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jkoehler, lphiri, rjohnson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in jupyter-server. This path traversal vulnerability exists due to insufficient validation of file paths, specifically an incorrect root directory boundary check and improper handling of directory traversal sequences. This allows a remote attacker with low privileges to bypass directory restrictions and gain unauthorized read and write access to files in sibling directories. This could lead to the exposure of sensitive data, particularly in shared hosting environments.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2486299, 2486300 | ||
| Bug Blocks: | |||
|
Description
Sandipan Roy
2026-06-02 17:06:45 UTC
|