jupyter-scheduler's endpoint is missing authentication
Moderate severity
GitHub Reviewed
Published
May 22, 2024
in
jupyter-server/jupyter-scheduler
•
Updated May 27, 2024
Package
Affected versions
>= 1.0.0, < 1.1.6
= 1.2.0
>= 1.3.0, < 1.8.2
>= 2.0.0, < 2.5.2
Patched versions
1.1.6
1.2.1
1.8.2
2.5.2
Description
Published by the National Vulnerability Database
May 23, 2024
Published to the GitHub Advisory Database
May 23, 2024
Reviewed
May 23, 2024
Last updated
May 27, 2024
Impact
jupyter_scheduler
is missing an authentication check in Jupyter Server on an API endpoint (GET /scheduler/runtime_environments
) which lists the names of the Conda environments on the server. In affected versions,jupyter_scheduler
allows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name.This issue does not allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where
jupyter_scheduler
is running. This issue only reveals the list of Conda environment names.Impacted versions:
>=1.0.0,<=1.1.5 ; ==1.2.0 ; >=1.3.0,<=1.8.1 ; >=2.0.0,<=2.5.1
Patches
jupyter-scheduler==1.1.6
jupyter-scheduler==1.2.1
jupyter-scheduler==1.8.2
jupyter-scheduler==2.5.2
Workarounds
Server operators who are unable to upgrade can disable the
jupyter-scheduler
extension with:References
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
References