CVE-2023-49080: Jupyter Server errors include tracebacks with path information

Published Dec 4, 2023
·
Updated

Impact

Unhandled errors in API requests include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment.

Patches

jupyter-server PATCHEDVERSION no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty.

Workarounds

None

Other sources

The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can include path information. There is no known mechanism by which to trigger these errors without authentication, so the paths revealed are not considered particularly sensitive, given that the requesting user has arbitrary execution permissions already in the same environment. A fix has been introduced in commit 0056c3aa52 which no longer includes traceback information in JSON error responses. For compatibility, the traceback field is present, but always empty. This commit has been included in version 2.11.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Software

4 affected componentsFixes available
pip/jupyter-server<2.11.2
2.11.2
jupyter Jupyter Server<2.11.2
IBM Watson Studio on Cloud Pak for Data<=4.0
IBM Watson Studio on Cloud Pak for Data<=5.0

Remediation

Patch Available

https://github.com/jupyter-server/jupyter_server/commit/0056c3aa52cbb28b263a7a609ae5f17618b36652

Event History

Dec 4, 2023
CVE Published
via MITRE·09:00 PM
Data Sourced
via MITRE·09:00 PM
DescriptionSeverityWeakness
Dec 5, 2023
Advisory Published
via GitHub·06:15 PM
Aug 28, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID for this Jupyter Server vulnerability?

The vulnerability ID for this Jupyter Server vulnerability is CVE-2023-49080.

2

What is the severity level of CVE-2023-49080?

CVE-2023-49080 has a severity level of low.

3

What software is affected by CVE-2023-49080?

The Jupyter Server package version up to exclusive 2.11.2 is affected by CVE-2023-49080.

4

What is the remediation for CVE-2023-49080?

To fix CVE-2023-49080, you should upgrade the Jupyter Server package to version 2.11.2 or higher.

5

What is the Common Weakness Enumeration (CWE) number associated with CVE-2023-49080?

The Common Weakness Enumeration (CWE) number associated with CVE-2023-49080 is CWE-209.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203