Information disclosure in Jupyter Server

#VU99615 Information disclosure in Jupyter Server

Published: 2024-11-01

Vulnerability identifier: #VU99615

Vulnerability risk: High

CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-35178

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Jupyter Server
Server applications / Other server solutions

Vendor: Jupyter

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the application exposes the NTLMv2 password hash of the Windows user running. A remote attacker can obtain the hash and use it to compromise the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Jupyter Server: 0.0.1 - 2.14.0

External links
http://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62
http://github.com/jupyter-server/jupyter_server/commit/79fbf801c5908f4d1d9bc90004b74cfaaeeed2df

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 24.03 LTS update for python-jupyter-server

NTLMv2 hash disclosure in Jupyter Server