Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS12OWcyLWc3ajQtNGp4Y84AA8hd

Moderate EPSS: 0.00137% (0.34341 Percentile) EPSS:
Permalink JSON

jupyter-scheduler's endpoint is missing authentication

Affected Packages Affected Versions Fixed Versions
pypi:jupyter-scheduler
PURL: pkg:pypi/jupyter-scheduler
>= 2.0.0, < 2.5.2, >= 1.3.0, < 1.8.2, = 1.2.0, >= 1.0.0, < 1.1.6 2.5.2, 1.8.2, 1.2.1, 1.1.6
2 Dependent packages
7 Dependent repositories
13,288 Downloads last month

Affected Version Ranges

All affected versions

1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.5.1

All unaffected versions

0.1.0, 0.1.1, 0.2.1, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 1.1.6, 1.2.1, 1.8.2, 1.9.0, 2.5.2, 2.6.0, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0, 2.11.0

Impact

jupyter_scheduler is missing an authentication check in Jupyter Server on an API endpoint (GET /scheduler/runtime_environments) which lists the names of the Conda environments on the server. In affected versions, jupyter_scheduler allows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name.

This issue does not allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where jupyter_scheduler is running. This issue only reveals the list of Conda environment names.

Impacted versions: >=1.0.0,<=1.1.5 ; ==1.2.0 ; >=1.3.0,<=1.8.1 ; >=2.0.0,<=2.5.1

Patches

  • jupyter-scheduler==1.1.6
  • jupyter-scheduler==1.2.1
  • jupyter-scheduler==1.8.2
  • jupyter-scheduler==2.5.2

Workarounds

Server operators who are unable to upgrade can disable the jupyter-scheduler extension with:

jupyter server extension disable jupyter-scheduler

References

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting

References:

Identifiers

GHSA-v9g2-g7j4-4jxc

CVE-2024-28188

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00137

EPSS Percentile: 0.34341

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jupyter-server/jupyter-scheduler

Date and time

Published

over 1 year ago

Updated

about 14 hours ago

API

JSON