Python Library jupyter_core < 5.8.0 Uncontrolled Search Path

high Nessus Plugin ID 237906

Synopsis

A Python library installed on the remote Windows host is affected by an uncontrolled search path vulnerability.

Description

The detected version of the Python package, jupyter_core, is prior to 5.8.0. It is, therefore, affected by a vulnerability, as explained in the GHSA-33p9-3p43-82vq advisory. Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected `%PROGRAMDATA%` are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the `%PROGRAMDATA%` directory so it is not writable by unauthorized users; or as administrator, create the `%PROGRAMDATA%\jupyter` directory with appropriately restrictive permissions; or as user or administrator, set the `%PROGRAMDATA%` environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators or the current user).

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to jupyter_core version 5.8.0 or later. However, version 5.8.1 is recommended by the advisory.

See Also

http://www.nessus.org/u?9b493be7

Plugin Details

Severity: High

ID: 237906

File Name: python_jupyter_core_5_8_1.nasl

Version: 1.1

Type: local

Agent: windows

Family: Windows

Published: 6/6/2025

Updated: 6/6/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-30167

CVSS v3

Risk Factor: High

Base Score: 7.3

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:jupyter:jupyter_core

Required KB Items: SMB/Registry/Enumerated, Host/win/Python/Packages/Enumerated

Patch Publication Date: 5/7/2025

Vulnerability Publication Date: 5/7/2025

Reference Information

CVE: CVE-2025-30167

IAVB: 2025-B-0089