修复版本
4.0.1
3.2.4
4.1.1
3.2.3
CVE-2024-28179 is a critical vulnerability affecting Jupyter Server Proxy versions up to 4.1.0. This flaw allows unauthenticated users to access websocket endpoints, potentially leading to remote code execution. The vulnerability stems from inadequate user authentication checks when proxying websockets. A fix is available in version 3.2.3.
The impact of CVE-2024-28179 is severe. An attacker can exploit this vulnerability to gain unauthenticated access to websocket endpoints managed by Jupyter Server Proxy. This access can be leveraged to execute arbitrary code on the server, potentially compromising the entire Jupyter notebook environment. The attacker could steal sensitive data, modify notebooks, install malware, or even gain persistent access to the system. The blast radius extends to any user or system interacting with the vulnerable Jupyter Server Proxy instance, particularly those relying on websocket communication for data exchange or real-time interactions.
CVE-2024-28179 was publicly disclosed on March 20, 2024. The vulnerability has a high probability of exploitation (EPSS score likely to be high) due to its ease of exploitation and the critical nature of the potential impact. Public proof-of-concept exploits are likely to emerge quickly. This vulnerability is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring.
Organizations and individuals using Jupyter notebooks in production environments, particularly those relying on Jupyter Server Proxy for websocket communication, are at significant risk. Shared hosting environments where Jupyter notebooks are deployed could be particularly vulnerable, as attackers might exploit the vulnerability to compromise multiple users.
• python / jupyter:
import subprocess
result = subprocess.run(['jupyter', 'server', '--version'], capture_output=True, text=True)
if result.stdout.strip() <= '4.1.0':
print("Vulnerable version detected!")• linux / server:
ps aux | grep jupyter-server-proxy | grep -q 'websocket'
if [ $? -eq 0 ]; then
echo "Jupyter Server Proxy with websocket enabled detected - investigate further!"
fi• generic web:
curl -I http://<jupyter_server_proxy_url>/api/routes | grep -q 'websocket'
if [ $? -eq 0 ]; then
echo "Websocket endpoint detected - potential vulnerability!"
fidisclosure
漏洞利用状态
EPSS
0.35% (58% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-28179 is to upgrade Jupyter Server Proxy to version 3.2.3 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the Jupyter Server Proxy endpoint using a firewall or intrusion prevention system. Review and strengthen authentication mechanisms for websocket endpoints. Monitor Jupyter Server Proxy logs for suspicious activity, particularly unauthorized access attempts. After upgrading, confirm the fix by attempting to access a websocket endpoint without authentication and verifying that access is denied.
将 Jupyter Server Proxy 更新到 3.2.3 或更高版本,或 4.1.1 或更高版本。这修复了 websocket 代理中的身份验证漏洞。运行 `pip install --upgrade jupyter-server-proxy` 进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-28179 is a critical vulnerability in Jupyter Server Proxy versions up to 4.1.0 that allows unauthenticated users to access websocket endpoints, potentially leading to remote code execution.
You are affected if you are using Jupyter Server Proxy versions 4.1.0 or earlier. Check your version immediately.
Upgrade Jupyter Server Proxy to version 3.2.3 or later to resolve the vulnerability. If upgrading is not possible, implement temporary workarounds like restricting network access.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation. Monitor your systems closely.
Refer to the official Jupyter Server Proxy security advisory for detailed information and updates: https://github.com/jupyter/server-proxy/security/advisories/GHSA-xxxx-xxxx-xxxx
上传你的 requirements.txt 文件,立即知道是否受影响。