Veracode Vulnerability DatabaseVERACODE:47209Missing Authentication
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
jupyter-scheduler is vulnerable to Missing Authentication. The vulnerability is due to a missing authentication check on the /scheduler/runtime_environments API endpoint, allowing unauthenticated users to obtain the list of Conda environment names on the server.
References
github.com/advisories/GHSA-v9g2-g7j4-4jxc
github.com/jupyter-server/jupyter-scheduler/commit/06435a2277bb2b8f441ec9cedafa474572b92c5d
github.com/jupyter-server/jupyter-scheduler/commit/a621b386397280cc8ee5a208dca4607cb71cdd65
github.com/jupyter-server/jupyter-scheduler/commit/d428ac871909444e175ba421bf8ab4980d6ebf9f
github.com/jupyter-server/jupyter-scheduler/commit/f4137a779fdf0cc4a9688a42dd8c6e7ade60f044
github.com/jupyter-server/jupyter-scheduler/security/advisories/GHSA-v9g2-g7j4-4jxc
github.com/jupyter-server/jupyter_server/pull/1392
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.9 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%