CVE-2024-35178
HIGH7.5EPSS 1.5%Jupyter server on Windows discloses Windows user password hash
發布日:2024/6/6修改日:2026/2/4
描述
### Summary Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines.
受影響套件(2)
- PyPI/jupyter-serverfrom 0, < 2.14.1
- PyPI/jupyter-serverfrom 0, < 79fbf801c5908f4d1d9bc90004b74cfaaeeed2df, < 79fbf801c5908f4d1d9bc90004b74cfaaeeed2df | from 0, < 2.14.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-35178
- PATCHhttps://github.com/jupyter-server/jupyter_server
- WEBhttps://github.com/jupyter-server/jupyter_server/commit/79fbf801c5908f4d1d9bc90004b74cfaaeeed2df
- WEBhttps://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2024-165.yaml