search

jupyter-server / enterprise_gateway

A lightweight, multi-tenant, scalable and secure gateway that enables Jupyter Notebooks to share resources across distributed clusters such as Apache Spark, Kubernetes and others.
https://jupyter-enterprise-gateway.readthedocs.io/en/latest/
Other
623 stars 222 forks source link

Multiple CVEs on jupyter-server package that comes as a dependency with JEG #1388

Open Poojitha-R-Rao opened 3 months ago

Poojitha-R-Rao commented 3 months ago

Summary The recent version of jupyter enterprise gateway (JEG - 3.2.3) has a dependency on the vulnerable jupyter server version - 1.24.0 (please find CVE below)

Details The recent version of jupyter enterprise gateway has a dependency on the vulnerable jupyter server version - 1.24.0 (please find CVEs below). Trying to upgrade the jupyter-server to the recent version is giving compatibility issues with JEG. It is giving the error - jupyter-enterprise-gateway 3.2.3 requires jupyter-server<2.0,>=1.7, but you have jupyter-server 2.14.1 which is incompatible. Please help upgrade the jeg version to work with the recent version on jupyter server.

CVE Score Pub_Date Severity Exploitability Exploit Type Package Package Version Fixed Version Package Path
CVE-2024-35178 7.5 2024-06-06 high     jupyter-server 1.24.0 2.14.1 /usr/local/python3/lib/python3.11/site-packages/jupyter_server
CVE-2023-39968 6.1 2023-08-28 medium     jupyter-server 1.24.0 2.7.2 /usr/local/python3/lib/python3.11/site-packages/jupyter_server
CVE-2023-40170 6.1 2023-08-28 medium     jupyter-server 1.24.0 2.7.2 /usr/local/python3/lib/python3.11/site-packages/jupyter_server
CVE-2023-49080 4.3 2023-12-04 medium     jupyter-server 1.24.0 2.11.2 /usr/local/python3/lib/python3.11/site-packages/jupyter_server