CVE-2024-22415

2024-01-1821:15:09

Google

osv.dev

jupyter-lsp

jupyterlab

code navigation

hover suggestions

linters

autocompletion

rename

language server protocol

unauthorised access

modification

file system

vulnerability

upgrade

uninstall

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.5%

JSON

jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp.

CPENameOperatorVersion
jupyterlab-lspeq2.0.2
jupyterlab-lspeq2.0.7
jupyterlab-lspeq2.1.0
jupyterlab-lspeq3.0.0
jupyterlab-lspeq3.9.3
jupyterlab-lspeq0.8.0
jupyterlab-lspeq0.6.1
jupyterlab-lspeq2.0.3
jupyterlab-lspeq4.0.0
jupyterlab-lspeq5.0.0

Name	Operator	Version
jupyterlab-lsp	eq	2.0.2
jupyterlab-lsp	eq	2.0.7
jupyterlab-lsp	eq	2.1.0
jupyterlab-lsp	eq	3.0.0
jupyterlab-lsp	eq	3.9.3
jupyterlab-lsp	eq	0.8.0
jupyterlab-lsp	eq	0.6.1
jupyterlab-lsp	eq	2.0.3
jupyterlab-lsp	eq	4.0.0
jupyterlab-lsp	eq	5.0.0