CVE-2024-28179
Last modified
CVE-2024-28179 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. EPSS estimates a 1.02% chance of exploitation in the next 30 days.
Description
Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Jupyter | Jupyter Server Proxy | < 3.2.3 |
| Jupyter | Jupyter Server Proxy | >= 4.0.0, < 4.1.1 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-28179?
How severe is CVE-2024-28179?
How do I fix CVE-2024-28179?
Are you affected by CVE-2024-28179?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST