CVE-2024-22415 – jupyter-lsp

Package

Manager: pip
Name: jupyter-lsp
Vulnerable Version: >=0 <2.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00167 pctl0.38256

Details

Unsecured endpoints in the jupyter-lsp server extension ### Impact Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. ### Patches Version 2.2.2 has been patched. ### Workarounds Users of jupyterlab who do not use jupyterlab-lsp can uninstall jupyter-lsp. ### Credits We would like to credit Bary Levy, researcher of pillar.security research team, for the discovery and responsible disclosure of this vulnerability. Edit: based on advice from pillar.security the Confidentiality/Integrity/Availability were increased to High to reflect potential for critical impact on publicly hosted jupyter-server instances lacking isolation of user privileges on operating system level (for best practices please consult https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#protect-users-from-each-other) and CWE-94 was added due to a potential vulnerability chaining in specific environments.

Metadata

Created: 2024-01-18T16:12:28Z
Modified: 2024-01-19T20:32:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-4qhp-652w-c22x/GHSA-4qhp-652w-c22x.json
CWE IDs: ["CWE-22", "CWE-23"]
Alternative ID: GHSA-4qhp-652w-c22x
Finding: F063
Auto approve: 1