Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-35178

The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines. This vulnerability is fixed in 2.14.1.

Published

2024-06-06T16:15:11.937

Last Modified

2024-11-21T09:19:52.497

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jupyter	jupyter_server	< 2.14.1	Yes
Operating System	microsoft	windows	-	No

References

https://github.com/jupyter-server/jupyter_server/commit/79fbf801c5908f4d1d9bc90004b74cfaaeeed2df Patch ([email protected])
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62 Vendor Advisory ([email protected])
https://github.com/jupyter-server/jupyter_server/commit/79fbf801c5908f4d1d9bc90004b74cfaaeeed2df Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)