Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2024-28179
HistoryMar 20, 2024 - 8:15 p.m.

CVE-2024-28179

2024-03-2020:15:08
CWE-306
[email protected]
web.nvd.nist.gov
41
jupyter server proxy
cve-2024-28179
websockets
unauthenticated access
arbitrary code execution
information security

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by jupyter_server itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.

Affected configurations

Vulners
Node
jupyterhubkubespawnerRange4.0.04.1.1
OR
jupyterhubkubespawnerRange<3.2.3
VendorProductVersionCPE
jupyterhubkubespawner*cpe:2.3:a:jupyterhub:kubespawner:*:*:*:*:*:*:*:*
jupyterhubkubespawner*cpe:2.3:a:jupyterhub:kubespawner:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "jupyterhub",
    "product": "jupyter-server-proxy",
    "versions": [
      {
        "version": ">= 4.0.0, < 4.1.1",
        "status": "affected"
      },
      {
        "version": "< 3.2.3",
        "status": "affected"
      }
    ]
  }
]

Related

osv 2
github 1
nvd 1
veracode 1
cvelist 1
osv
osv
CVE-2024-28179
2024-03-20 20:15:08
Jupyter Server Proxy's Websocket Proxying does not require authentication
2024-03-20 15:22:02
github
github
Jupyter Server Proxy's Websocket Proxying does not require authentication
2024-03-20 15:22:02
nvd
nvd
CVE-2024-28179
2024-03-20 20:15:08
veracode
veracode
Missing Websocket Authentication
2024-03-22 09:17:58
cvelist
cvelist
CVE-2024-28179 Jupyter Server Proxy's Websocket Proxying does not require authentication
2024-03-20 19:54:38

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON
Related for CVE-2024-28179
osv2github1nvd1veracode1cvelist1