CVE-2024-35178
Jupyter server on Windows discloses Windows user password hash
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows machine hosting the Jupyter server, or access other network-accessible machines or 3rd party services using that credential. Or an attacker perform an NTLM relay attack without cracking the credential to gain access to other network-accessible machines. This vulnerability is fixed in 2.14.1.
Jupyter Server proporciona el backend para las aplicaciones web de Jupyter. Jupyter Server en Windows tiene una vulnerabilidad que permite a atacantes no autenticados filtrar el hash de contraseña NTLMv2 del usuario de Windows que ejecuta el servidor Jupyter. Un atacante puede descifrar esta contraseña para obtener acceso a la máquina Windows que aloja el servidor Jupyter, o acceder a otras máquinas accesibles en red o servicios de terceros utilizando esa credencial. O un atacante realiza un ataque de retransmisión NTLM sin descifrar la credencial para obtener acceso a otras máquinas accesibles en la red. Esta vulnerabilidad se solucionó en 2.14.1.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-05-10 CVE Reserved
- 2024-06-06 CVE Published
- 2024-08-02 CVE Updated
- 2024-10-25 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/jupyter-server/jupyter_server/commit/79fbf801c5908f4d1d9bc90004b74cfaaeeed2df | X_refsource_misc | |
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-hrw6-wg82-cm62 | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jupyter-server Search vendor "Jupyter-server" | Jupyter Server Search vendor "Jupyter-server" for product "Jupyter Server" | < 2.14.1 Search vendor "Jupyter-server" for product "Jupyter Server" and version " < 2.14.1" | en |
Affected
|