CVE-2024-35178 HIGH

CVE-2024-35178: Jupyter server on Windows discloses Windows user password hash

Vendor Jupyter-Server

Product jupyter_server

Weakness CWE-200 · Info exposure

Published June 6, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines. This vulnerability is fixed in 2.14.1.

Key dates

02Disclosure timeline

June 6, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-35178 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2024-35178: Jupyter server on Windows discloses Windows user password hash

01Description

02Disclosure timeline

03References

04Related CVE