Jupyter Server Proxy prior to 3.2.1 are vulnerable to Server-Side Request Forgery (SSRF). Any user deploying Jupyter Server or Notebook with jupyter-proxy-server extension enabled is affected. A lack of input validation allows authenticated clients to proxy requests to other hosts, bypassing the `allowed_hosts` check. Because authentication is required, which already grants permissions to make the same requests via kernel or terminal execution, this is considered low to moderate severity. Patch: https://github.com/jupyterhub/jupyter-server-proxy/compare/v3.2.0...v3.2.1.patch https://github.com/jupyterhub/jupyter-server-proxy/commit/fd31930bacd12188c448c886e0783529436b99eb
Sorry filip! We filed these at about the same time *** This bug has been marked as a duplicate of bug 832051 ***
(In reply to John Helmert III from comment #1) > Sorry filip! We filed these at about the same time > > *** This bug has been marked as a duplicate of bug 832051 *** no problem ;)