CVE-2024-28179

Name of the Vulnerable Software and Affected Versions Jupyter Server Proxy versions prior to 3.2.3 Jupyter Server Proxy versions prior to 4.1.1

Description The issue is related to the lack of proper user authentication when proxying websockets in Jupyter Server Proxy. This allows unauthenticated access to anyone with network access to the Jupyter server endpoint, potentially leading to remote unauthenticated arbitrary code execution. The vulnerability affects projects that rely on websockets, but not those that do not use websockets or the websocket endpoints exposed by jupyter server itself.

Recommendations For Jupyter Server Proxy versions prior to 3.2.3, upgrade to version 3.2.3 or later. For Jupyter Server Proxy versions prior to 4.1.1, upgrade to version 4.1.1 or later. As a temporary workaround, consider restricting access to the vulnerable websocket endpoints until a patch is applied. For JupyterHub admins, follow the provided steps to check for and patch the vulnerability in user servers, and consider terminating currently running user servers that may still be vulnerable.