修正版
4.0.1
3.2.4
4.1.1
3.2.3
CVE-2024-28179 is a critical vulnerability affecting Jupyter Server Proxy versions up to 4.1.0. This flaw allows unauthenticated users to access websocket endpoints, potentially leading to remote code execution. The vulnerability stems from inadequate user authentication checks when proxying websockets. A fix is available in version 3.2.3.
The impact of CVE-2024-28179 is severe. An attacker can exploit this vulnerability to gain unauthenticated access to websocket endpoints managed by Jupyter Server Proxy. This access can be leveraged to execute arbitrary code on the server, potentially compromising the entire Jupyter notebook environment. The attacker could steal sensitive data, modify notebooks, install malware, or even gain persistent access to the system. The blast radius extends to any user or system interacting with the vulnerable Jupyter Server Proxy instance, particularly those relying on websocket communication for data exchange or real-time interactions.
CVE-2024-28179 was publicly disclosed on March 20, 2024. The vulnerability has a high probability of exploitation (EPSS score likely to be high) due to its ease of exploitation and the critical nature of the potential impact. Public proof-of-concept exploits are likely to emerge quickly. This vulnerability is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
Organizations and individuals using Jupyter notebooks in production environments, particularly those relying on Jupyter Server Proxy for websocket communication, are at significant risk. Shared hosting environments where Jupyter notebooks are deployed could be particularly vulnerable, as attackers might exploit the vulnerability to compromise multiple users.
• python / jupyter:
import subprocess
result = subprocess.run(['jupyter', 'server', '--version'], capture_output=True, text=True)
if result.stdout.strip() <= '4.1.0':
print("Vulnerable version detected!")• linux / server:
ps aux | grep jupyter-server-proxy | grep -q 'websocket'
if [ $? -eq 0 ]; then
echo "Jupyter Server Proxy with websocket enabled detected - investigate further!"
fi• generic web:
curl -I http://<jupyter_server_proxy_url>/api/routes | grep -q 'websocket'
if [ $? -eq 0 ]; then
echo "Websocket endpoint detected - potential vulnerability!"
fidisclosure
エクスプロイト状況
EPSS
0.35% (58% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-28179 is to upgrade Jupyter Server Proxy to version 3.2.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the Jupyter Server Proxy endpoint using a firewall or intrusion prevention system. Review and strengthen authentication mechanisms for websocket endpoints. Monitor Jupyter Server Proxy logs for suspicious activity, particularly unauthorized access attempts. After upgrading, confirm the fix by attempting to access a websocket endpoint without authentication and verifying that access is denied.
Jupyter Server Proxy をバージョン 3.2.3 以降、またはバージョン 4.1.1 以降にアップデートしてください。これにより、WebSocket プロキシの認証の脆弱性が修正されます。`pip install --upgrade jupyter-server-proxy` を実行してアップデートしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-28179 is a critical vulnerability in Jupyter Server Proxy versions up to 4.1.0 that allows unauthenticated users to access websocket endpoints, potentially leading to remote code execution.
You are affected if you are using Jupyter Server Proxy versions 4.1.0 or earlier. Check your version immediately.
Upgrade Jupyter Server Proxy to version 3.2.3 or later to resolve the vulnerability. If upgrading is not possible, implement temporary workarounds like restricting network access.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation. Monitor your systems closely.
Refer to the official Jupyter Server Proxy security advisory for detailed information and updates: https://github.com/jupyter/server-proxy/security/advisories/GHSA-xxxx-xxxx-xxxx
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。