logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-28188 jupyter-scheduler

Package

Manager: pip
Name: jupyter-scheduler
Vulnerable Version: >=1.0.0 <1.1.6 || =1.2.0 || >=1.2.0 <1.2.1 || >=1.3.0 <1.8.2 || >=2.0.0 <2.5.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00101 pctl0.28512

Details

jupyter-scheduler's endpoint is missing authentication ### Impact `jupyter_scheduler` is missing an authentication check in Jupyter Server on an API endpoint (`GET /scheduler/runtime_environments`) which lists the names of the Conda environments on the server. In affected versions, `jupyter_scheduler` allows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name. This issue does **not** allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where `jupyter_scheduler` is running. This issue only reveals the list of Conda environment names. Impacted versions: `>=1.0.0,<=1.1.5 ; ==1.2.0 ; >=1.3.0,<=1.8.1 ; >=2.0.0,<=2.5.1` ### Patches * `jupyter-scheduler==1.1.6` * `jupyter-scheduler==1.2.1` * `jupyter-scheduler==1.8.2` * `jupyter-scheduler==2.5.2` ### Workarounds Server operators who are unable to upgrade can disable the `jupyter-scheduler` extension with: ``` jupyter server extension disable jupyter-scheduler ``` ### References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

Metadata

Created: 2024-05-23T14:00:15Z
Modified: 2024-05-23T14:00:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v9g2-g7j4-4jxc/GHSA-v9g2-g7j4-4jxc.json
CWE IDs: ["CWE-200", "CWE-287"]
Alternative ID: GHSA-v9g2-g7j4-4jxc
Finding: F039
Auto approve: 1