Jupyter-Server (<= 2.17.0)

Jupyter Server version 2.17.0 and earlier is vulnerable to a path traversal vulnerability due to an insufficient check on the root directory, allowing an authenticated user to access, read, write, and delete content outside the server's root directory in sibling directories that share the same prefix as the root directory, potentially leading to privilege escalation in multi-tenant environments.

Jupyter Server versions 2.17.0 and earlier are vulnerable to a CORS origin validation bypass due to improper use of `re.match()` in validating the Origin header against the `allow_origin_pat` configuration, allowing attackers to bypass CORS restrictions.