Lucene search

K
githubGitHub Advisory DatabaseGHSA-V9G2-G7J4-4JXC
HistoryMay 23, 2024 - 2:00 p.m.

jupyter-scheduler's endpoint is missing authentication

2024-05-2314:00:15
CWE-200
CWE-287
GitHub Advisory Database
github.com
7
jupyter-scheduler
authentication
endpoint
conda environments
versions
patches
workarounds
aws/amazon security

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

Impact

jupyter_scheduler is missing an authentication check in Jupyter Server on an API endpoint (GET /scheduler/runtime_environments) which lists the names of the Conda environments on the server. In affected versions, jupyter_scheduler allows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name.

This issue does not allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where jupyter_scheduler is running. This issue only reveals the list of Conda environment names.

Impacted versions: >=1.0.0,<=1.1.5 ; ==1.2.0 ; >=1.3.0,<=1.8.1 ; >=2.0.0,<=2.5.1

Patches

  • jupyter-scheduler==1.1.6
  • jupyter-scheduler==1.2.1
  • jupyter-scheduler==1.8.2
  • jupyter-scheduler==2.5.2

Workarounds

Server operators who are unable to upgrade can disable the jupyter-scheduler extension with:

jupyter server extension disable jupyter-scheduler

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.

[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Affected configurations

Vulners
Node
jupyterjupyter_serverRange<2.5.2
OR
jupyterjupyter_serverRange<1.8.2
OR
jupyterjupyter_serverMatch1.2.0
OR
jupyterjupyter_serverRange<1.1.6

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

Related for GHSA-V9G2-G7J4-4JXC