CVE-2024-35178

NameCVE-2024-35178
DescriptionThe Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines. This vulnerability is fixed in 2.14.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jupyter-server (PTS)bullseye1.2.2-1fixed
bookworm1.23.3-1fixed
sid, trixie2.14.2-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jupyter-serversource(unstable)(not affected)

Notes

- jupyter-server <not-affected> (Windows-specific)
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62

Search for package or bug name: Reporting problems