jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp.
CVE-2024-22415 - High Severity Vulnerability
Vulnerable Library - jupyter_lsp-1.5.1-py3-none-any.whl
Multi-Language Server WebSocket proxy for Jupyter Notebook/Lab server
Library home page: https://files.pythonhosted.org/packages/a6/49/c87099bdccb160b4ebd2c4485bf385c15f0288b4db76f460abccc0e51b9b/jupyter_lsp-1.5.1-py3-none-any.whl
Path to dependency file: /jupyter-conda-22-04/files/etc/jupyter/requirements.txt
Path to vulnerable library: /jupyter-conda-22-04/files/etc/jupyter/requirements.txt
Dependency Hierarchy: - jupyterlab_lsp-3.10.2-py3-none-any.whl (Root Library) - :x: **jupyter_lsp-1.5.1-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 6b247e0983d2f20a95b630486ea47b527c663ebb
Found in base branch: master
Vulnerability Details
jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp.
Publish Date: 2024-01-18
URL: CVE-2024-22415
CVSS 3 Score Details (7.3)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-22415
Release Date: 2024-01-18
Fix Resolution (jupyter-lsp): 2.2.2
Direct dependency fix Resolution (jupyterlab-lsp): 4.0.0
Step up your Open Source Security Game with Mend here