{"id":"CVE-2022-39286","summary":"Execution with Unnecessary Privileges in JupyterApp","details":"Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in `jupyter_core` that stems from `jupyter_core` executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.","aliases":["GHSA-m678-f26j-3hrp","PYSEC-2022-42974"],"modified":"2026-04-16T04:09:27.347761Z","published":"2022-10-26T00:00:00Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-250","CWE-269"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39286.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39286.json"},{"type":"ADVISORY","url":"https://github.com/jupyter/jupyter_core/security/advisories/GHSA-m678-f26j-3hrp"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KKMP5OXXIX2QAUNVNJZ5UEQFKDYYJVBA/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIDN7JMLK6AOMBQI4QPSW4MBQGWQ5NIN/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39286"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202301-04"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5422"},{"type":"FIX","url":"https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jupyter/jupyter_core","events":[{"introduced":"0"},{"fixed":"a8eac8cb0403e148880f1ae9e71dbb5db6451efe"}]}],"versions":["4.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.1.0","4.1.1","4.10.0","4.11.0","4.11.1","4.2.0","4.2.1","4.3.0","4.4.0","4.5.0","4.6.0","4.6.1","4.6.2","4.6.3","4.7.0","4.7.0rc0","4.7.1","4.8.0","4.9.0","4.9.0rc0","4.9.1","4.9.1rc0","4.9.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39286.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}