CVE-2024-28188 MEDIUM

CVE-2024-28188: jupyter-scheduler's endpoint is missing authentication

Vendor Jupyter-Server
Product jupyter-scheduler
Weakness CWE-200 · Info exposure
Published May 23, 2024
Last update August 2, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Jupyter Scheduler is collection of extensions for programming jobs to run now or run on a schedule. The list of conda environments of `jupyter-scheduler` users maybe be exposed, potentially revealing information about projects that a specific user may be working on. This vulnerability has been patched in version(s) 1.1.6, 1.2.1, 1.8.2 and 2.5.2.

Key dates

02Disclosure timeline

May 23, 2024 CVE published
August 2, 2024 Record updated