Unauthenticated Remote Code Execution Vulnerability in Jupyter Server Proxy
CVE-2024-28179

9.8CRITICAL

Key Information:

Vendor

Jupyterhub

Status
Jupyter-server-proxy
Vendor
CVE Published:
20 March 2024

What is CVE-2024-28179?

Jupyter Server Proxy versions prior to 3.2.3 and 4.1.1 contain a vulnerability that permits unauthorized users to connect to websocket endpoints. This flaw occurs because user authentication checks are not performed properly when proxying websockets. Consequently, attackers with network access to the Jupyter server can exploit this vulnerability, potentially leading to the execution of arbitrary code on the server. It is critical for users to upgrade to the patched versions to mitigate this risk. Notably, instances that do not leverage websockets are unaffected by this issue.

Affected Version(s)

jupyter-server-proxy >= 4.0.0, < 4.1.1 < 4.0.0, 4.1.1

jupyter-server-proxy < 3.2.3 < 3.2.3

References

https://github.com/jupyterhub/jupyter-server-proxy/securi...
x_refsource_CONFIRM
https://github.com/jupyterhub/jupyter-server-proxy/commit...
x_refsource_MISC
https://github.com/jupyterhub/jupyter-server-proxy/commit...
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.