Jupyter Server
CVE-2024-35178
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 5 pypi packages depend on jupyter-server (5 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.14.1.
DescriptionNVD
The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines. This vulnerability is fixed in 2.14.1.
AnalysisAI
The Jupyter Server provides the backend for Jupyter web applications. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines. This vulnerability is fixed in 2.14.1. Affected products include: Jupyter Jupyter Server.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
More in Jupyter Server
View allThe Jupyter Server provides the backend (i.e. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitab
Jupyter Server provides the backend (i.e. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, lo
The Jupyter Server provides the backend (i.e. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable
jupyter-server is the backend for Jupyter web applications. Rated medium severity (CVSS 6.1), this vulnerability is remo
jupyter-server is the backend for Jupyter web applications. Rated medium severity (CVSS 6.1), this vulnerability is remo
Jupyter Server before version 1.0.6 has an Open redirect vulnerability. Rated medium severity (CVSS 5.4), this vulnerabi
The Jupyter Server provides the backend (i.e. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitab
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today