Impact
jupyter_scheduler is missing an authentication check in Jupyter Server on an API endpoint (GET /scheduler/runtime_environments) which lists the names of the Conda environments on the server. In affected versions, jupyter_scheduler allows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name.
This issue does not allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where jupyter_scheduler is running. This issue only reveals the list of Conda environment names.
Impacted versions: >=1.0.0,<=1.1.5 ; ==1.2.0 ; >=1.3.0,<=1.8.1 ; >=2.0.0,<=2.5.1
Patches
jupyter-scheduler==1.1.6jupyter-scheduler==1.2.1jupyter-scheduler==1.8.2jupyter-scheduler==2.5.2
Workarounds
Server operators who are unable to upgrade can disable the jupyter-scheduler extension with:
jupyter server extension disable jupyter-scheduler
References
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting
krassowski Reporter
Carreau Coordinator
andrii-i Remediation developer
dlqqq Remediation reviewer
yuvipanda Coordinator
Impact
jupyter_scheduleris missing an authentication check in Jupyter Server on an API endpoint (GET /scheduler/runtime_environments) which lists the names of the Conda environments on the server. In affected versions,jupyter_schedulerallows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name.This issue does not allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where
jupyter_scheduleris running. This issue only reveals the list of Conda environment names.Impacted versions:
>=1.0.0,<=1.1.5 ; ==1.2.0 ; >=1.3.0,<=1.8.1 ; >=2.0.0,<=2.5.1Patches
jupyter-scheduler==1.1.6jupyter-scheduler==1.2.1jupyter-scheduler==1.8.2jupyter-scheduler==2.5.2Workarounds
Server operators who are unable to upgrade can disable the
jupyter-schedulerextension with:References
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [email protected]. Please do not create a public GitHub issue.
[1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting