cvelistv5 - cve-2024-28179

CVE-2024-28179 (GCVE-0-2024-28179)

Vulnerability from cvelistv5 – Published: 2024-03-20 19:54 – Updated: 2024-08-02 00:48

Summary

Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

URL

Tags

	https://github.com/jupyterhub/jupyter-server-prox…	x_refsource_CONFIRM
	https://github.com/jupyterhub/jupyter-server-prox…	x_refsource_MISC
	https://github.com/jupyterhub/jupyter-server-prox…	x_refsource_MISC
	https://github.com/jupyterhub/jupyter-server-prox…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	jupyterhub	jupyter-server-proxy	Affected: >= 4.0.0, < 4.1.1 Affected: < 3.2.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28179",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-16T00:13:55.892207Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-16T00:14:02.336Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:49.393Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v"
          },
          {
            "name": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9"
          },
          {
            "name": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03"
          },
          {
            "name": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jupyter-server-proxy",
          "vendor": "jupyterhub",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.1.1"
            },
            {
              "status": "affected",
              "version": "\u003c 3.2.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-20T19:54:38.247Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v"
        },
        {
          "name": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9"
        },
        {
          "name": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03"
        },
        {
          "name": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433"
        }
      ],
      "source": {
        "advisory": "GHSA-w3vc-fx9p-wp4v",
        "discovery": "UNKNOWN"
      },
      "title": "Jupyter Server Proxy\u0027s Websocket Proxying does not require authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-28179",
    "datePublished": "2024-03-20T19:54:38.247Z",
    "dateReserved": "2024-03-06T17:35:00.857Z",
    "dateUpdated": "2024-08-02T00:48:49.393Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.\"}, {\"lang\": \"es\", \"value\": \"Jupyter Server Proxy permite a los usuarios ejecutar procesos externos arbitrarios junto con sus servidores port\\u00e1tiles Jupyter y proporciona acceso web autenticado. Antes de las versiones 3.2.3 y 4.1.1, Jupyter Server Proxy no verificaba adecuadamente la autenticaci\\u00f3n del usuario al utilizar websockets, lo que permit\\u00eda el acceso no autenticado a cualquier persona que tuviera acceso de red al endpoint del servidor Jupyter. Esta vulnerabilidad puede permitir el acceso remoto no autenticado a cualquier endpoint de websocket configurado para ser accesible a trav\\u00e9s de Jupyter Server Proxy. En muchos casos, esto conduce a la ejecuci\\u00f3n remota de c\\u00f3digo arbitrario no autenticado, debido a c\\u00f3mo las instancias afectadas usan websockets. Los endpoints de websocket expuestos por el propio `jupyter_server` no se ven afectados. Los proyectos que no dependen de websockets tampoco se ven afectados. Las versiones 3.2.3 y 4.1.1 contienen una soluci\\u00f3n para este problema. \"}]",
      "id": "CVE-2024-28179",
      "lastModified": "2024-11-21T09:05:58.083",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.0, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 6.0}]}",
      "published": "2024-03-20T20:15:08.680",
      "references": "[{\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-306\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-28179\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-20T20:15:08.680\",\"lastModified\":\"2025-02-21T16:37:13.663\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.\"},{\"lang\":\"es\",\"value\":\"Jupyter Server Proxy permite a los usuarios ejecutar procesos externos arbitrarios junto con sus servidores port\u00e1tiles Jupyter y proporciona acceso web autenticado. Antes de las versiones 3.2.3 y 4.1.1, Jupyter Server Proxy no verificaba adecuadamente la autenticaci\u00f3n del usuario al utilizar websockets, lo que permit\u00eda el acceso no autenticado a cualquier persona que tuviera acceso de red al endpoint del servidor Jupyter. Esta vulnerabilidad puede permitir el acceso remoto no autenticado a cualquier endpoint de websocket configurado para ser accesible a trav\u00e9s de Jupyter Server Proxy. En muchos casos, esto conduce a la ejecuci\u00f3n remota de c\u00f3digo arbitrario no autenticado, debido a c\u00f3mo las instancias afectadas usan websockets. Los endpoints de websocket expuestos por el propio `jupyter_server` no se ven afectados. Los proyectos que no dependen de websockets tampoco se ven afectados. Las versiones 3.2.3 y 4.1.1 contienen una soluci\u00f3n para este problema. \"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jupyter:jupyter_server_proxy:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.2.3\",\"matchCriteriaId\":\"51D04BA6-D1C3-4132-9C0E-891EE213D100\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jupyter:jupyter_server_proxy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.1.1\",\"matchCriteriaId\":\"F5DA7A15-524C-4224-B9A1-2BE4D1E48FEB\"}]}]}],\"references\":[{\"url\":\"https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v\", \"name\": \"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9\", \"name\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03\", \"name\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433\", \"name\": \"https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:48:49.393Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28179\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-16T00:13:55.892207Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-16T00:13:59.584Z\"}}], \"cna\": {\"title\": \"Jupyter Server Proxy\u0027s Websocket Proxying does not require authentication\", \"source\": {\"advisory\": \"GHSA-w3vc-fx9p-wp4v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"jupyterhub\", \"product\": \"jupyter-server-proxy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0, \u003c 4.1.1\"}, {\"status\": \"affected\", \"version\": \"\u003c 3.2.3\"}]}], \"references\": [{\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v\", \"name\": \"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9\", \"name\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03\", \"name\": \"https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433\", \"name\": \"https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-20T19:54:38.247Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-28179\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T00:48:49.393Z\", \"dateReserved\": \"2024-03-06T17:35:00.857Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-20T19:54:38.247Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2024-28179

Vulnerability from gsd - Updated: 2024-03-08 06:02

Details

Aliases

CVE-2024-28179

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-28179"
      ],
      "details": "Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.",
      "id": "GSD-2024-28179",
      "modified": "2024-03-08T06:02:46.427805Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-28179",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "jupyter-server-proxy",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 4.0.0, \u003c 4.1.1"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 3.2.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "jupyterhub"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-306",
                "lang": "eng",
                "value": "CWE-306: Missing Authentication for Critical Function"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v",
            "refsource": "MISC",
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v"
          },
          {
            "name": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9",
            "refsource": "MISC",
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9"
          },
          {
            "name": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03",
            "refsource": "MISC",
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03"
          },
          {
            "name": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433",
            "refsource": "MISC",
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-w3vc-fx9p-wp4v",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue."
          }
        ],
        "id": "CVE-2024-28179",
        "lastModified": "2024-03-21T12:58:51.093",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.0,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 6.0,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-20T20:15:08.680",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-306"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

GHSA-W3VC-FX9P-WP4V

Vulnerability from github – Published: 2024-03-20 15:22 – Updated: 2025-02-21 22:32

Summary

Jupyter Server Proxy's Websocket Proxying does not require authentication

Details

Summary

jupyter-server-proxy is used to expose ports local to a Jupyter server listening to web traffic to the Jupyter server's authenticated users by proxying web requests and websockets. Dependent packages (partial list) also use jupyter-server-proxy to expose other popular interactive applications (such as RStudio, Linux Desktop via VNC, Code Server, Panel, etc) along with the Jupyter server. This feature is commonly used in hosted environments (such as a JupyterHub) to expose non-Jupyter interactive frontends or APIs to the user.

jupyter-server-proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint.

Impact

This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via jupyter-server-proxy. In many cases (such as when exposing RStudio via jupyter-rsession-proxy or a remote Linux Desktop / VNC via jupyter-remote-desktop-proxy), this leads to remote unauthenticated arbitrary code execution, due to how they use websockets. The websocket endpoints exposed by jupyter_server itself is not affected. Projects that do not rely on websockets are also not affected.

Remediation

Upgrade jupyter-server-proxy to a patched version and restart any running Jupyter server.

You may not be installing jupyter-server-proxy directly, but have it be pulled in as a dependency (partial list of dependent packages) - so you may be vulnerable even if you aren't directly depending on jupyter-server-proxy.

For JupyterHub admins of [TLJH] installations

Expand to read more To secure a tljh deployment's user servers, first check if `jupyter-server-proxy` is installed in the user environment with a vulnerable version. If it is, patch the vulnerability and consider terminating currently running user servers. [tljh]: https://tljh.jupyter.org #### 1. Check for vulnerability As an JupyterHub admin from a terminal in a started user server, you can do:

sudo -E python3 -c '
try:
    import jupyter_server_proxy
    is_vulnerable = not hasattr(jupyter_server_proxy, "__version__")
except:
    is_vulnerable = False
if is_vulnerable:
    print("WARNING: jupyter-server-proxy __is vulnerable__ to GHSA-w3vc-fx9p-wp4v, see https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.")
else:
    print("INFO: not vulnerable to GHSA-w3vc-fx9p-wp4v")
'

Alternatively as a root user on the server where tljh is installed, you can do:

sudo PATH=/opt/tljh/user/bin:${PATH} python3 -c '
try:
    import jupyter_server_proxy
    is_vulnerable = not hasattr(jupyter_server_proxy, "__version__")
except:
    is_vulnerable = False
if is_vulnerable:
    print("WARNING: jupyter-server-proxy __is vulnerable__ to GHSA-w3vc-fx9p-wp4v, see https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.")
else:
    print("INFO: not vulnerable to GHSA-w3vc-fx9p-wp4v")
'

#### 2. Patch detected vulnerability As an JupyterHub admin from a terminal in a started user server, you can do:

sudo -E pip install "jupyter-server-proxy>=3.2.3,!=4.0.0,!=4.1.0"

Alternatively as a root user on the server where tljh is installed, you can do:

sudo PATH=/opt/tljh/user/bin:${PATH} pip install "jupyter-server-proxy>=3.2.3,!=4.0.0,!=4.1.0"

#### 3. Consider terminating currently running user servers User servers that started before the patch was applied are still vulnerable. To ensure they aren't vulnerable any more you could forcefully terminate their servers via the JupyterHub web interface at `https:///hub/admin`.

For JupyterHub admins of [Z2JH] installations

Expand to read more To secure your z2jh deployment's user servers, first consider if one or more user environments is or may be vulnerable, then ensure new user servers' aren't started with the vulnerability, and finally consider terminating currently running user servers. The steps below guide you to do so. [z2jh]: https://z2jh.jupyter.org #### 1. Check for vulnerabilities Consider all docker images that user servers' environment may be based on. If your deployment expose a fixed set of images, you may be able to update them to non-vulnerable versions. To check if an individual docker image is vulnerable, use a command like:

CHECK_IMAGE=jupyter/base-notebook:2023-10-20
docker run --rm $CHECK_IMAGE python3 -c '
try:
    import jupyter_server_proxy
    is_vulnerable = not hasattr(jupyter_server_proxy, "__version__")
except:
    is_vulnerable = False
if is_vulnerable:
    print("WARNING: jupyter-server-proxy __is vulnerable__ to GHSA-w3vc-fx9p-wp4v, see https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.")
else:
    print("INFO: not vulnerable to GHSA-w3vc-fx9p-wp4v")
'

Note that if you reference an image with a mutable tag, such as `quay.io/jupyter/pangeo-notebook:master`, you should ensure a new version is used by configuring the image pull policy so that an older vulnerable version isn't kept being used because it was already available on a Kubernetes node.

singleuser:
  image:
    name: quay.io/jupyter/pangeo-notebook
    tag: master
    # pullPolicy (a.k.a. imagePullPolicy in k8s specification) should be
    # declared to Always if you make use of mutable tags
    pullPolicy: Always

#### 2. Patch vulnerabilities dynamically If your z2jh deployment still may start vulnerable images for users, you could mount a script that checks and patches the vulnerability before the jupyter server starts. Below is JupyterHub Helm chart configuration that relies on [`singleuser.extraFiles`] and [`singleuser.cmd`] to mount a script we use as an entrypoint to dynamically check and patch the vulnerability before jupyter server is started. Unless you change it, the script will attempt to upgrade `jupyter-server-proxy` to a non-vulnerable version if needed, and error if it needs to and fails. You can adjust this behavior by adjusting the constants `UPGRADE_IF_VULNERABLE` and `ERROR_IF_VULNERABLE` inside the script. [`singleuser.extraFiles`]: https://z2jh.jupyter.org/en/stable/resources/reference.html#singleuser-extrafiles [`singleuser.cmd`]: https://z2jh.jupyter.org/en/stable/resources/reference.html#singleuser-cmd

singleuser:
  cmd:
    - /mnt/ghsa-w3vc-fx9p-wp4v/check-patch-run
    - jupyterhub-singleuser
  extraFiles:
    ghsa-w3vc-fx9p-wp4v-check-patch-run:
      mountPath: /mnt/ghsa-w3vc-fx9p-wp4v/check-patch-run
      mode: 0755
      stringData: |
        #!/usr/bin/env python3
        """
        This script is designed to check for and conditionally patch GHSA-w3vc-fx9p-wp4v
        in user servers started by a JupyterHub. The script will execute any command
        passed via arguments if provided, allowing it to wrap a user server startup call
        to `jupyterhub-singleuser` for example.

        Use and function of this script can be further discussed in
        https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues/3360.

        Script adjustments:
        - UPGRADE_IF_VULNERABLE
        - ERROR_IF_VULNERABLE

        Script patching assumptions:
        - script is run before the jupyter server starts
        - pip is available
        - pip has sufficient filesystem permissions to upgrade jupyter-server-proxy

        Read more at https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.
        """

        import os
        import subprocess
        import sys

        # adjust these to meet vulnerability mitigation needs
        UPGRADE_IF_VULNERABLE = True
        ERROR_IF_VULNERABLE = True


        def check_vuln():
            """
            Checks for the vulnerability by looking to see if __version__ is available
            as it coincides with the patched versions (3.2.3 and 4.1.1).
            """
            try:
                import jupyter_server_proxy

                return False if hasattr(jupyter_server_proxy, "__version__") else True
            except:
                return False


        def get_version_specifier():
            """
            Returns a pip version specifier for use with `--no-deps` meant to do as
            little as possible besides patching the vulnerability and remaining
            functional.
            """
            old = ["jupyter-server-proxy>=3.2.3,<4"]
            new = ["jupyter-server-proxy>=4.1.1,<5", "simpervisor>=1,<2"]

            try:
                if sys.version_info < (3, 8):
                    return old

                from importlib.metadata import version

                jsp_version = version("jupyter-server-proxy")
                if int(jsp_version.split(".")[0]) < 4:
                    return old
            except:
                pass
            return new


        def patch_vuln():
            """
            Attempts to patch the vulnerability by upgrading jupyter-server-proxy using
            pip. Returns True if the patch is applied successfully, otherwise False.
            """
            # attempt upgrade via pip, takes ~4 seconds
            proc = subprocess.run(
                [sys.executable, "-m", "pip", "--version"],
                stdout=subprocess.DEVNULL,
                stderr=subprocess.DEVNULL,
            )
            pip_available = proc.returncode == 0
            if pip_available:
                proc = subprocess.run(
                    [sys.executable, "-m", "pip", "install", "--no-deps"]
                    + get_version_specifier()
                )
                if proc.returncode == 0:
                    return True
            return False


        def main():
            if check_vuln():
                warning_or_error = (
                    "ERROR" if ERROR_IF_VULNERABLE and not UPGRADE_IF_VULNERABLE else "WARNING"
                )
                print(
                    f"{warning_or_error}: jupyter-server-proxy __is vulnerable__ to GHSA-w3vc-fx9p-wp4v, see "
                    "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.",
                    flush=True,
                )
                if warning_or_error == "ERROR":
                    sys.exit(1)

                if UPGRADE_IF_VULNERABLE:
                    print(
                        "INFO: Attempting to upgrade jupyter-server-proxy using pip...",
                        flush=True,
                    )
                    if patch_vuln():
                        print(
                            "INFO: Attempt to upgrade jupyter-server-proxy succeeded!",
                            flush=True,
                        )
                    else:
                        warning_or_error = "ERROR" if ERROR_IF_VULNERABLE else "WARNING"
                        print(
                            f"{warning_or_error}: Attempt to upgrade jupyter-server-proxy failed!",
                            flush=True,
                        )
                        if warning_or_error == "ERROR":
                            sys.exit(1)

            if len(sys.argv) >= 2:
                print("INFO: Executing provided command", flush=True)
                os.execvp(sys.argv[1], sys.argv[1:])
            else:
                print("INFO: No command to execute provided", flush=True)


        main()

Simple Reproduction

Expand to read more ### Setup application to proxy Make a trivial tornado app that has both websocket and regular HTTP endpoints.

from tornado import websocket, web, ioloop

class EchoWebSocket(websocket.WebSocketHandler):
    def open(self):
        print("WebSocket opened")

    def on_message(self, message):
        self.write_message(u"You said: " + message)

    def on_close(self):
        print("WebSocket closed")

class HiHandler(web.RequestHandler):
    def get(self):
        self.write("Hi")

app = web.Application([
    (r'/ws', EchoWebSocket),
    (r'/hi', HiHandler)
])

if __name__ == '__main__':
    app.listen(9500)
    ioloop.IOLoop.instance().start()

### Setup a clean environment with `jupyter-server-proxy` and start a `jupyter server` instance We don't need jupyterlab or anything else here, just `jupyter-server-proxy` would do.

python -m venv clean-env/
source clean-env/bin/activate
pip install jupyter-server-proxy
jupyter server

### Verify HTTP requests require authentication

curl -L http://127.0.0.1:8888/proxy/9500/hi

This does *not* return the `Hi` response, as expected. Instead, you get the HTML response asking for a token. This is secure as intended. ### Verify websocket requests doesn't authentication The example makes use of [websocat](https://github.com/vi/websocat) to test websockets. You can use any other tool you are familiar with too.

websocat ws://localhost:8888/proxy/9500/ws

At the terminal, type 'Just testing' and press Enter. You'll get `You said: Just testing` without any authentication required.

Severity ?

9.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-20T15:22:02Z",
    "nvd_published_at": "2024-03-20T20:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\n`jupyter-server-proxy` is used to expose ports local to a Jupyter server listening to web traffic to the Jupyter server\u0027s _authenticated users_ by proxying web requests and websockets. Dependent packages ([partial list](https://www.wheelodex.org/projects/jupyter-server-proxy/rdepends/)) also use `jupyter-server-proxy` to expose other popular interactive applications (such as [RStudio](https://github.com/jupyterhub/jupyter-rsession-proxy), [Linux Desktop via VNC](https://github.com/jupyterhub/jupyter-remote-desktop-proxy), [Code Server](https://github.com/betatim/vscode-binder), [Panel](https://github.com/holoviz/jupyter-panel-proxy), etc) along with the Jupyter server. This feature is commonly used in hosted environments (such as a JupyterHub) to expose non-Jupyter interactive frontends or APIs to the user.\n\n`jupyter-server-proxy` did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint.\n\n## Impact\n\nThis vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via `jupyter-server-proxy`. In many cases (such as when exposing RStudio via [`jupyter-rsession-proxy`](https://github.com/jupyterhub/jupyter-rsession-proxy) or a remote Linux Desktop / VNC via [`jupyter-remote-desktop-proxy`](https://github.com/jupyterhub/jupyter-remote-desktop-proxy)), this leads to **remote unauthenticated arbitrary code execution**, due to how they use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected.\n\n## Remediation\n\nUpgrade `jupyter-server-proxy` to a patched version and restart any running Jupyter server.\n\nYou may not be installing `jupyter-server-proxy` directly, but have it be pulled in as a dependency ([partial list of dependent packages](https://www.wheelodex.org/projects/jupyter-server-proxy/rdepends/)) - so you may be vulnerable even if you aren\u0027t directly depending on `jupyter-server-proxy`.\n\n### For JupyterHub admins of [TLJH] installations\n\n\u003cdetails\u003e\u003csummary\u003eExpand to read more\u003c/summary\u003e\n\nTo secure a tljh deployment\u0027s user servers, first check if `jupyter-server-proxy` is installed in the user environment with a vulnerable version. If it is, patch the vulnerability and consider terminating currently running user servers.\n\n[tljh]: https://tljh.jupyter.org\n\n#### 1. Check for vulnerability\n\nAs an JupyterHub admin from a terminal in a started user server, you can do:\n\n```bash\nsudo -E python3 -c \u0027\ntry:\n    import jupyter_server_proxy\n    is_vulnerable = not hasattr(jupyter_server_proxy, \"__version__\")\nexcept:\n    is_vulnerable = False\nif is_vulnerable:\n    print(\"WARNING: jupyter-server-proxy __is vulnerable__ to GHSA-w3vc-fx9p-wp4v, see https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.\")\nelse:\n    print(\"INFO: not vulnerable to GHSA-w3vc-fx9p-wp4v\")\n\u0027\n```\n\nAlternatively as a root user on the server where tljh is installed, you can do:\n\n```bash\nsudo PATH=/opt/tljh/user/bin:${PATH} python3 -c \u0027\ntry:\n    import jupyter_server_proxy\n    is_vulnerable = not hasattr(jupyter_server_proxy, \"__version__\")\nexcept:\n    is_vulnerable = False\nif is_vulnerable:\n    print(\"WARNING: jupyter-server-proxy __is vulnerable__ to GHSA-w3vc-fx9p-wp4v, see https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.\")\nelse:\n    print(\"INFO: not vulnerable to GHSA-w3vc-fx9p-wp4v\")\n\u0027\n```\n\n#### 2. Patch detected vulnerability\n\nAs an JupyterHub admin from a terminal in a started user server, you can do:\n\n```bash\nsudo -E pip install \"jupyter-server-proxy\u003e=3.2.3,!=4.0.0,!=4.1.0\"\n```\n\nAlternatively as a root user on the server where tljh is installed, you can do:\n\n```bash\nsudo PATH=/opt/tljh/user/bin:${PATH} pip install \"jupyter-server-proxy\u003e=3.2.3,!=4.0.0,!=4.1.0\"\n```\n\n#### 3. Consider terminating currently running user servers\n\nUser servers that started before the patch was applied are still vulnerable. To ensure they aren\u0027t vulnerable any more you could forcefully terminate their servers via the JupyterHub web interface at `https://\u003cyour domain\u003e/hub/admin`.\n\n\u003c/details\u003e\n\n### For JupyterHub admins of [Z2JH] installations\n\n\u003cdetails\u003e\u003csummary\u003eExpand to read more\u003c/summary\u003e\n\nTo secure your z2jh deployment\u0027s user servers, first consider if one or more user environments is or may be vulnerable, then ensure new user servers\u0027 aren\u0027t started with the vulnerability, and finally consider terminating currently running user servers. The steps below guide you to do so.\n\n[z2jh]: https://z2jh.jupyter.org\n\n#### 1. Check for vulnerabilities\n\nConsider all docker images that user servers\u0027 environment may be based on. If your deployment expose a fixed set of images, you may be able to update them to non-vulnerable versions.\n\nTo check if an individual docker image is vulnerable, use a command like:\n\n```bash\nCHECK_IMAGE=jupyter/base-notebook:2023-10-20\ndocker run --rm $CHECK_IMAGE python3 -c \u0027\ntry:\n    import jupyter_server_proxy\n    is_vulnerable = not hasattr(jupyter_server_proxy, \"__version__\")\nexcept:\n    is_vulnerable = False\nif is_vulnerable:\n    print(\"WARNING: jupyter-server-proxy __is vulnerable__ to GHSA-w3vc-fx9p-wp4v, see https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.\")\nelse:\n    print(\"INFO: not vulnerable to GHSA-w3vc-fx9p-wp4v\")\n\u0027\n```\n\nNote that if you reference an image with a mutable tag, such as `quay.io/jupyter/pangeo-notebook:master`, you should ensure a new version is used by configuring the image pull policy so that an older vulnerable version isn\u0027t kept being used because it was already available on a Kubernetes node.\n\n```yaml\nsingleuser:\n  image:\n    name: quay.io/jupyter/pangeo-notebook\n    tag: master\n    # pullPolicy (a.k.a. imagePullPolicy in k8s specification) should be\n    # declared to Always if you make use of mutable tags\n    pullPolicy: Always\n```\n\n#### 2. Patch vulnerabilities dynamically\n\nIf your z2jh deployment still may start vulnerable images for users, you could mount a script that checks and patches the vulnerability before the jupyter server starts.\n\nBelow is JupyterHub Helm chart configuration that relies on [`singleuser.extraFiles`] and [`singleuser.cmd`] to mount a script we use as an entrypoint to dynamically check and patch the vulnerability before jupyter server is started.\n\nUnless you change it, the script will attempt to upgrade `jupyter-server-proxy` to a non-vulnerable version if needed, and error if it needs to and fails. You can adjust this behavior by adjusting the constants `UPGRADE_IF_VULNERABLE` and `ERROR_IF_VULNERABLE` inside the script.\n\n[`singleuser.extraFiles`]: https://z2jh.jupyter.org/en/stable/resources/reference.html#singleuser-extrafiles\n[`singleuser.cmd`]: https://z2jh.jupyter.org/en/stable/resources/reference.html#singleuser-cmd\n\n```yaml\nsingleuser:\n  cmd:\n    - /mnt/ghsa-w3vc-fx9p-wp4v/check-patch-run\n    - jupyterhub-singleuser\n  extraFiles:\n    ghsa-w3vc-fx9p-wp4v-check-patch-run:\n      mountPath: /mnt/ghsa-w3vc-fx9p-wp4v/check-patch-run\n      mode: 0755\n      stringData: |\n        #!/usr/bin/env python3\n        \"\"\"\n        This script is designed to check for and conditionally patch GHSA-w3vc-fx9p-wp4v\n        in user servers started by a JupyterHub. The script will execute any command\n        passed via arguments if provided, allowing it to wrap a user server startup call\n        to `jupyterhub-singleuser` for example.\n\n        Use and function of this script can be further discussed in\n        https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues/3360.\n\n        Script adjustments:\n        - UPGRADE_IF_VULNERABLE\n        - ERROR_IF_VULNERABLE\n\n        Script patching assumptions:\n        - script is run before the jupyter server starts\n        - pip is available\n        - pip has sufficient filesystem permissions to upgrade jupyter-server-proxy\n\n        Read more at https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.\n        \"\"\"\n\n        import os\n        import subprocess\n        import sys\n\n        # adjust these to meet vulnerability mitigation needs\n        UPGRADE_IF_VULNERABLE = True\n        ERROR_IF_VULNERABLE = True\n\n\n        def check_vuln():\n            \"\"\"\n            Checks for the vulnerability by looking to see if __version__ is available\n            as it coincides with the patched versions (3.2.3 and 4.1.1).\n            \"\"\"\n            try:\n                import jupyter_server_proxy\n\n                return False if hasattr(jupyter_server_proxy, \"__version__\") else True\n            except:\n                return False\n\n\n        def get_version_specifier():\n            \"\"\"\n            Returns a pip version specifier for use with `--no-deps` meant to do as\n            little as possible besides patching the vulnerability and remaining\n            functional.\n            \"\"\"\n            old = [\"jupyter-server-proxy\u003e=3.2.3,\u003c4\"]\n            new = [\"jupyter-server-proxy\u003e=4.1.1,\u003c5\", \"simpervisor\u003e=1,\u003c2\"]\n\n            try:\n                if sys.version_info \u003c (3, 8):\n                    return old\n\n                from importlib.metadata import version\n\n                jsp_version = version(\"jupyter-server-proxy\")\n                if int(jsp_version.split(\".\")[0]) \u003c 4:\n                    return old\n            except:\n                pass\n            return new\n\n\n        def patch_vuln():\n            \"\"\"\n            Attempts to patch the vulnerability by upgrading jupyter-server-proxy using\n            pip. Returns True if the patch is applied successfully, otherwise False.\n            \"\"\"\n            # attempt upgrade via pip, takes ~4 seconds\n            proc = subprocess.run(\n                [sys.executable, \"-m\", \"pip\", \"--version\"],\n                stdout=subprocess.DEVNULL,\n                stderr=subprocess.DEVNULL,\n            )\n            pip_available = proc.returncode == 0\n            if pip_available:\n                proc = subprocess.run(\n                    [sys.executable, \"-m\", \"pip\", \"install\", \"--no-deps\"]\n                    + get_version_specifier()\n                )\n                if proc.returncode == 0:\n                    return True\n            return False\n\n\n        def main():\n            if check_vuln():\n                warning_or_error = (\n                    \"ERROR\" if ERROR_IF_VULNERABLE and not UPGRADE_IF_VULNERABLE else \"WARNING\"\n                )\n                print(\n                    f\"{warning_or_error}: jupyter-server-proxy __is vulnerable__ to GHSA-w3vc-fx9p-wp4v, see \"\n                    \"https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v.\",\n                    flush=True,\n                )\n                if warning_or_error == \"ERROR\":\n                    sys.exit(1)\n\n                if UPGRADE_IF_VULNERABLE:\n                    print(\n                        \"INFO: Attempting to upgrade jupyter-server-proxy using pip...\",\n                        flush=True,\n                    )\n                    if patch_vuln():\n                        print(\n                            \"INFO: Attempt to upgrade jupyter-server-proxy succeeded!\",\n                            flush=True,\n                        )\n                    else:\n                        warning_or_error = \"ERROR\" if ERROR_IF_VULNERABLE else \"WARNING\"\n                        print(\n                            f\"{warning_or_error}: Attempt to upgrade jupyter-server-proxy failed!\",\n                            flush=True,\n                        )\n                        if warning_or_error == \"ERROR\":\n                            sys.exit(1)\n\n            if len(sys.argv) \u003e= 2:\n                print(\"INFO: Executing provided command\", flush=True)\n                os.execvp(sys.argv[1], sys.argv[1:])\n            else:\n                print(\"INFO: No command to execute provided\", flush=True)\n\n\n        main()\n```\n\n#### 3. Consider terminating currently running user servers\n\nUser servers that started before the patch was applied are still vulnerable. To ensure they aren\u0027t vulnerable any more you could forcefully terminate their servers via the JupyterHub web interface at `https://\u003cyour domain\u003e/hub/admin`.\n\n\u003c/details\u003e\n\n## Simple Reproduction\n\n\u003cdetails\u003e\u003csummary\u003eExpand to read more\u003c/summary\u003e\n\n### Setup application to proxy\n\nMake a trivial tornado app that has both websocket and regular HTTP endpoints.\n\n```python\nfrom tornado import websocket, web, ioloop\n\nclass EchoWebSocket(websocket.WebSocketHandler):\n    def open(self):\n        print(\"WebSocket opened\")\n\n    def on_message(self, message):\n        self.write_message(u\"You said: \" + message)\n\n    def on_close(self):\n        print(\"WebSocket closed\")\n\nclass HiHandler(web.RequestHandler):\n    def get(self):\n        self.write(\"Hi\")\n\napp = web.Application([\n    (r\u0027/ws\u0027, EchoWebSocket),\n    (r\u0027/hi\u0027, HiHandler)\n])\n\nif __name__ == \u0027__main__\u0027:\n    app.listen(9500)\n    ioloop.IOLoop.instance().start()\n```\n\n### Setup a clean environment with `jupyter-server-proxy` and start a `jupyter server` instance\n\nWe don\u0027t need jupyterlab or anything else here, just `jupyter-server-proxy` would do.\n\n```bash\npython -m venv clean-env/\nsource clean-env/bin/activate\npip install jupyter-server-proxy\njupyter server\n```\n\n### Verify HTTP requests require authentication\n\n```bash\ncurl -L http://127.0.0.1:8888/proxy/9500/hi\n```\n\nThis does *not* return the `Hi` response, as expected. Instead, you get the HTML response asking for a token.\n\nThis is secure as intended.\n\n### Verify websocket requests doesn\u0027t authentication\n\nThe example makes use of [websocat](https://github.com/vi/websocat) to test websockets. You can use any other tool you are familiar with too.\n\n```bash\nwebsocat ws://localhost:8888/proxy/9500/ws\n```\n\nAt the terminal, type \u0027Just testing\u0027 and press Enter. You\u0027ll get `You said: Just testing` without any authentication required.\n\n\u003c/details\u003e",
  "id": "GHSA-w3vc-fx9p-wp4v",
  "modified": "2025-02-21T22:32:30Z",
  "published": "2024-03-20T15:22:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28179"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server-proxy/PYSEC-2024-234.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jupyter Server Proxy\u0027s Websocket Proxying does not require authentication"
}

FKIE_CVE-2024-28179

Vulnerability from fkie_nvd - Published: 2024-03-20 20:15 - Updated: 2025-02-21 16:37

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433	Product
security-advisories@github.com	https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9	Patch
security-advisories@github.com	https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03	Patch
security-advisories@github.com	https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v	Vendor Advisory

Impacted products

	Vendor	Product	Version
	jupyter	jupyter_server_proxy	*
	jupyter	jupyter_server_proxy	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:jupyter:jupyter_server_proxy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "51D04BA6-D1C3-4132-9C0E-891EE213D100",
              "versionEndExcluding": "3.2.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:jupyter:jupyter_server_proxy:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F5DA7A15-524C-4224-B9A1-2BE4D1E48FEB",
              "versionEndExcluding": "4.1.1",
              "versionStartIncluding": "4.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue."
    },
    {
      "lang": "es",
      "value": "Jupyter Server Proxy permite a los usuarios ejecutar procesos externos arbitrarios junto con sus servidores port\u00e1tiles Jupyter y proporciona acceso web autenticado. Antes de las versiones 3.2.3 y 4.1.1, Jupyter Server Proxy no verificaba adecuadamente la autenticaci\u00f3n del usuario al utilizar websockets, lo que permit\u00eda el acceso no autenticado a cualquier persona que tuviera acceso de red al endpoint del servidor Jupyter. Esta vulnerabilidad puede permitir el acceso remoto no autenticado a cualquier endpoint de websocket configurado para ser accesible a trav\u00e9s de Jupyter Server Proxy. En muchos casos, esto conduce a la ejecuci\u00f3n remota de c\u00f3digo arbitrario no autenticado, debido a c\u00f3mo las instancias afectadas usan websockets. Los endpoints de websocket expuestos por el propio `jupyter_server` no se ven afectados. Los proyectos que no dependen de websockets tampoco se ven afectados. Las versiones 3.2.3 y 4.1.1 contienen una soluci\u00f3n para este problema. "
    }
  ],
  "id": "CVE-2024-28179",
  "lastModified": "2025-02-21T16:37:13.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-20T20:15:08.680",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

PYSEC-2024-234

Vulnerability from pysec - Published: 2024-03-20 20:15 - Updated: 2025-02-21 18:23

Details

Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by jupyter_server itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impacted products

Name	purl
jupyter-server-proxy	pkg:pypi/jupyter-server-proxy

Aliases

CVE-2024-28179

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server-proxy",
        "purl": "pkg:pypi/jupyter-server-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "764e499f61a87641916a7a427d4c4b1ac3f321a9"
            },
            {
              "fixed": "bead903b7c0354b6efd8b4cde94b89afab653e03"
            },
            {
              "fixed": "764e499f61a87641916a7a427d4c4b1ac3f321a9"
            },
            {
              "fixed": "bead903b7c0354b6efd8b4cde94b89afab653e03"
            }
          ],
          "repo": "https://github.com/jupyterhub/jupyter-server-proxy",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.3"
            },
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0",
        "1.0.1",
        "1.0b1",
        "1.0b2",
        "1.0b4",
        "1.0b5",
        "1.0b6",
        "1.0b7",
        "1.0b8",
        "1.0b9",
        "1.1.0",
        "1.2.0",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.4.0",
        "1.5.0",
        "1.5.2",
        "1.5.3",
        "1.6.0",
        "3.0.0",
        "3.0.0rc1",
        "3.0.1",
        "3.0.2",
        "3.1.0",
        "3.2.0",
        "3.2.1",
        "3.2.2",
        "4.0.0",
        "4.1.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28179"
  ],
  "details": "Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.",
  "id": "PYSEC-2024-234",
  "modified": "2025-02-21T18:23:35.992501+00:00",
  "published": "2024-03-20T20:15:08+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v"
    },
    {
      "type": "FIX",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9"
    },
    {
      "type": "FIX",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433"
    }
  ],
  "related": [
    "GHSA-w3vc-fx9p-wp4v",
    "GHSA-w3vc-fx9p-wp4v"
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-28179 (GCVE-0-2024-28179)

GSD-2024-28179

GHSA-W3VC-FX9P-WP4V

Summary

Impact

Remediation

For JupyterHub admins of [TLJH] installations

For JupyterHub admins of [Z2JH] installations

Simple Reproduction

FKIE_CVE-2024-28179

PYSEC-2024-234

Tags

Sightings

Nomenclature