CVE-2022-39286: Execution with Unnecessary Privileges in JupyterApp

Published Oct 26, 2022
·
Updated

Impact What kind of vulnerability is it? Who is impacted? We’d like to disclose an arbitrary code execution vulnerability in jupytercore that stems from jupytercore executing untrusted files in the current working directory. This vulnerability allows one user to run code as another.

Patches Has the problem been patched? What versions should users upgrade to? Users should upgrade to jupytercore>=4.11.2.

Workarounds Is there a way for users to fix or remediate the vulnerability without upgrading? No

References Are there any links users can visit to find out more? Similar advisory in IPython

Other sources

Jupyter Core is a package for the core common functionality of Jupyter projects. Jupyter Core prior to version 4.11.2 contains an arbitrary code execution vulnerability in jupytercore that stems from jupytercore executing untrusted files in CWD. This vulnerability allows one user to run code as another. Version 4.11.2 contains a patch for this issue. There are no known workarounds.

Affected Software

10 affected componentsFixes available
debian/jupyter-core<=4.4.0-2
4.4.0-2+deb10u14.7.1-1+deb11u14.12.0-15.3.2-1
debian/jupyter-core<=4.7.1-1, <=4.11.1-1
4.11.2-14.7.1-1+deb11u1
pip/jupyter-core<4.11.2
4.11.2
jupyter Jupyter Core<4.11.2
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=36
Fedoraproject Fedora=37
IBM Watson Studio on Cloud Pak for Data<=4.0
IBM Watson Studio on Cloud Pak for Data<=5.0

Remediation

Patch Available

https://github.com/jupyter/jupyter_core/commit/1118c8ce01800cb689d51f655f5ccef19516e283

Event History

Oct 26, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Advisory Published
via GitHub·10:07 PM
Aug 28, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2022-39286?

CVE-2022-39286 is an arbitrary code execution vulnerability in Jupyter Core that allows one user to run code as another.

2

Who is impacted by CVE-2022-39286?

Users of Jupyter Core versions prior to 4.11.2 are impacted by CVE-2022-39286.

3

What is the severity of CVE-2022-39286?

CVE-2022-39286 has a severity rating of 8.8 (High).

4

How can I fix CVE-2022-39286?

To fix CVE-2022-39286, update Jupyter Core to version 4.11.2 or higher.

5

Where can I find more information about CVE-2022-39286?

You can find more information about CVE-2022-39286 on the GitHub Security Advisory page and the NVD website.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203