Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-03-20T19:54:38.247Z
Updated: 2024-08-02T00:48:49.393Z
Reserved: 2024-03-06T17:35:00.857Z
Link: CVE-2024-28179
Vulnrichment
Updated: 2024-08-02T00:48:49.393Z
NVD
Status : Awaiting Analysis
Published: 2024-03-20T20:15:08.680
Modified: 2024-11-21T09:05:58.083
Link: CVE-2024-28179
Redhat
No data.