Unsecured endpoints in the jupyter-lsp server extension
CVE-2024-22415

7.3HIGH

Key Information:

Vendor: Jupyter-lsp
Status: Jupyterlab-lsp
Vendor: CVE Published:; 18 January 2024

🔔 Create Jupyter-lsp Vulnerability Alert

What is CVE-2024-22415?

The jupyter-lsp tool, integral for enhancing coding capabilities within JupyterLab via features like code navigation, linters, and autocompletion, is susceptible to a significant vulnerability affecting installations lacking proper file system access control on the operating system level. Environments exposed to untrusted networks can lead to unauthorized users gaining access beyond the jupyter root directory, allowing potential modification of file system contents. Users are strongly urged to upgrade to version 2.2.2, which addresses this vulnerability, or to uninstall the tool if upgrading is not feasible.

Affected Version(s)

jupyterlab-lsp < 2.2.2

References

https://github.com/jupyter-lsp/jupyterlab-lsp/security/ad...

x_refsource_CONFIRM

https://github.com/jupyter-lsp/jupyterlab-lsp/commit/4ad1...

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 18, 2024
Vulnerability Reserved
Jan 10, 2024

JSON