Skip to content

Jupyter server on Windows discloses Windows user password hash

High severity GitHub Reviewed Published Jun 6, 2024 in jupyter-server/jupyter_server • Updated Jun 6, 2024

Package

pip jupyter_server (pip)

Affected versions

<= 2.14.0

Patched versions

2.14.1

Description

Summary

Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines.

References

@blink1073 blink1073 published to jupyter-server/jupyter_server Jun 6, 2024
Published by the National Vulnerability Database Jun 6, 2024
Published to the GitHub Advisory Database Jun 6, 2024
Reviewed Jun 6, 2024
Last updated Jun 6, 2024

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2024-35178

GHSA ID

GHSA-hrw6-wg82-cm62

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.