CVE-2024-35178

Description

The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines. This vulnerability is fixed in 2.14.1.

How to fix CVE-2024-35178

To remediate CVE-2024-35178, upgrade the affected package to a fixed version below.

• —upgrade to 2.14.1 or later
• —upgrade to 79fbf801c5908f4d1d9bc90004b74cfaaeeed2df or later

Is CVE-2024-35178 being exploited?

Low — EPSS is 1.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2.14.1
• from 0, < 79fbf801c5908f4d1d9bc90004b74cfaaeeed2df, < 79fbf801c5908f4d1d9bc90004b74cfaaeeed2df | from 0, < 2.14.1

CVSS scores

References (6)

• ADVISORYgithub.com/advisories/GHSA-hrw6-wg82-cm62
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-35178
• PATCHgithub.com/jupyter-server/jupyter_server
• WEBgithub.com/jupyter-server/jupyter_server/commit/79fbf801c5908f4d1d9bc90004b74cfaaeeed2df