{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/origin-validation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["jupyter-server (\u003c= 2.17.0)"],"_cs_severities":["high"],"_cs_tags":["cors","origin-validation","regex","web-application"],"_cs_type":"advisory","_cs_vendors":["Jupyter"],"content_html":"\u003cp\u003eJupyter Server, a web-based interactive development environment, is susceptible to a CORS (Cross-Origin Resource Sharing) bypass vulnerability. This flaw arises from the server\u0026rsquo;s reliance on the \u003ccode\u003ere.match()\u003c/code\u003e function in Python\u0026rsquo;s regular expression library for validating the \u003ccode\u003eOrigin\u003c/code\u003e header against the configured \u003ccode\u003eallow_origin_pat\u003c/code\u003e. The \u003ccode\u003ere.match()\u003c/code\u003e function, unlike \u003ccode\u003ere.fullmatch()\u003c/code\u003e, only anchors the regex at the beginning of the string, not the end. Consequently, an attacker can craft a malicious domain, such as \u003ccode\u003ehttp://trusted.example.com.evil.com/\u003c/code\u003e, which will pass the regex validation if the \u003ccode\u003eallow_origin_pat\u003c/code\u003e is intended to match \u003ccode\u003etrusted.example.com\u003c/code\u003e. This vulnerability impacts Jupyter Server versions 2.17.0 and prior. The fix was implemented in pull request #603 and patched in commits 057869a327c46730afede3eab0ca2d2e3e74acea and 49b34392feaa97735b3b777e3baf8f22f2a14ed8. Successful exploitation allows an attacker to bypass CORS restrictions, potentially leading to unauthorized data access or actions on behalf of legitimate users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Jupyter Server instance running version 2.17.0 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious website with a domain name designed to bypass the \u003ccode\u003eallow_origin_pat\u003c/code\u003e regex. For instance, if the intended origin is \u003ccode\u003etrusted.example.com\u003c/code\u003e, the attacker uses \u003ccode\u003etrusted.example.com.evil.com\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA victim user visits the attacker\u0026rsquo;s malicious website in their browser.\u003c/li\u003e\n\u003cli\u003eThe malicious website sends a cross-origin HTTP request to the vulnerable Jupyter Server. The \u003ccode\u003eOrigin\u003c/code\u003e header in the request is set to the attacker-controlled domain (\u003ccode\u003etrusted.example.com.evil.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Jupyter Server receives the request and validates the \u003ccode\u003eOrigin\u003c/code\u003e header against the \u003ccode\u003eallow_origin_pat\u003c/code\u003e configuration using \u003ccode\u003ere.match()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the behavior of \u003ccode\u003ere.match()\u003c/code\u003e, the attacker\u0026rsquo;s origin passes the validation, as the regex only checks for a match at the beginning of the string.\u003c/li\u003e\n\u003cli\u003eThe Jupyter Server processes the cross-origin request, effectively bypassing the intended CORS restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker can then potentially perform unauthorized actions or access sensitive data within the Jupyter Server, as if the request originated from a trusted source.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass CORS restrictions on vulnerable Jupyter Server instances. This could lead to unauthorized access to sensitive data, modification of user settings, or execution of arbitrary code within the Jupyter environment, all performed under the guise of a legitimate user. The number of affected instances depends on the prevalence of vulnerable Jupyter Server versions and the use of misconfigured \u003ccode\u003eallow_origin_pat\u003c/code\u003e settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Jupyter Server to a version greater than 2.17.0, which includes the fix for CVE-2026-40110.\u003c/li\u003e\n\u003cli\u003eAs a workaround, wrap your \u003ccode\u003eallow_origin_pat\u003c/code\u003e configuration value with \u003ccode\u003e^\u003c/code\u003e and \u003ccode\u003e$\u003c/code\u003e to ensure the regex matches the entire string, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests with \u003ccode\u003eOrigin\u003c/code\u003e headers matching the pattern \u003ccode\u003etrusted.example.com.*\u003c/code\u003e (adjusting the \u003ccode\u003etrusted.example.com\u003c/code\u003e to your actual configured pattern) to detect potential exploitation attempts. Implement this detection using the provided Sigma rule targeting webserver logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-jupyter-cors-bypass/","summary":"Jupyter Server versions 2.17.0 and earlier are vulnerable to a CORS origin validation bypass due to improper use of `re.match()` in validating the Origin header against the `allow_origin_pat` configuration, allowing attackers to bypass CORS restrictions.","title":"Jupyter Server CORS Origin Validation Bypass via Regex","url":"https://feed.craftedsignal.io/briefs/2024-01-jupyter-cors-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Origin-Validation","version":"https://jsonfeed.org/version/1.1"}