CVE-2024-22415 HIGH

CVE-2024-22415: Unsecured endpoints in the jupyter-lsp server extension

Vendor Jupyter-Lsp

Product jupyterlab-lsp

Weakness CWE-23

Published January 18, 2024

Last update September 10, 2024

View on NVD All CVEs

CVSS base score

7.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp.

Key dates

02Disclosure timeline

January 18, 2024 CVE published

September 10, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-22415

Related vulnerabilities

CVE-2024-22415: Unsecured endpoints in the jupyter-lsp server extension

01Description

02Disclosure timeline

03References

04Related CVE