PyPI: jupyter-server-proxy
CVE-2024-28179
Safety vulnerability ID: SFTY-20240320-87600
Safety legacy ID: pyup.io-71838
Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. A vulnerability existed where Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone with network access to the Jupyter server endpoint. This vulnerability permits unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy, potentially leading to remote unauthenticated arbitrary code execution due to the use of websockets in affected instances. Projects that do not rely on websockets are not affected. The websocket endpoints exposed by jupyter_server itself are also not affected. This issue has been fixed in the latest versions.
Overview
Jupyter Server Proxy's Websocket Proxying does not require authentication
Advisory
Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. A vulnerability existed where Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone with network access to the Jupyter server endpoint. This vulnerability permits unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy, potentially leading to remote unauthenticated arbitrary code execution due to the use of websockets in affected instances. Projects that do not rely on websockets are not affected. The websocket endpoints exposed by jupyter_server itself are also not affected. This issue has been fixed in the latest versions.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240320-87600/CVE-2024-28179
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28179
- https://github.com/advisories/GHSA-w3vc-fx9p-wp4v
- https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v
- https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9
- https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03
- https://nvd.nist.gov/vuln/detail/CVE-2024-28179
- https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433
- https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server-proxy/PYSEC-2024-234.yaml
- https://github.com/advisories/GHSA-w3vc-fx9p-wp4v
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more