CVE-2024-28188
jupyter-scheduler's endpoint is missing authentication
Description
### Impact `jupyter_scheduler` is missing an authentication check in Jupyter Server on an API endpoint (`GET /scheduler/runtime_environments`) which lists the names of the Conda environments on the server. In affected versions, `jupyter_scheduler` allows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name. This issue does **not** allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where `jupyter_scheduler` is running. This issue only reveals the list of Conda environment names. Impacted versions: `>=1.0.0,<=1.1.5 ; ==1.2.0 ; >=1.3.0,<=1.8.1 ; >=2.0.0,<=2.5.1` ### Patches * `jupyter-scheduler==1.1.6` * `jupyter-scheduler==1.2.1` * `jupyter-scheduler==1.8.2` * `jupyter-scheduler==2.5.2` ### Workarounds Server operators who are unable to upgrade can disable the `jupyter-scheduler` extension with: ``` jupyter server extension disable jupyter-scheduler ``` ### References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
How to fix CVE-2024-28188
To remediate CVE-2024-28188, upgrade the affected package to a fixed version below.
- —upgrade to 1.1.6 or later
Is CVE-2024-28188 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.0.0, < 1.1.6