CVE-2024-22415

CVSS V2 None CVSS V3 None

Description

jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp.

Overview

CVE ID
CVE-2024-22415

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-01-18T20:27:39.180Z

Last Modified Date
2024-01-18T20:27:39.180Z

Weakness Enumerations

CWE	URL
CWE-23	http://cwe.mitre.org/data/definitions/23.html
CWE-284	http://cwe.mitre.org/data/definitions/284.html
CWE-306	http://cwe.mitre.org/data/definitions/306.html

References

Reference URL	Reference Tags
https://github.com/jupyter-lsp/jupyterlab-lsp/security/advisories/GHSA-4qhp-652w-c22x	x_refsource_CONFIRM
https://github.com/jupyter-lsp/jupyterlab-lsp/commit/4ad12f204ad0b85580fc32137c647baaff044e95	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-22415
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22415

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 09:20:07				Added to TrackCVE