CVE-2024-22415

{"id": "CVE-2024-22415", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2024-01-18T21:15:09.087", "references": [{"url": "https://github.com/jupyter-lsp/jupyterlab-lsp/commit/4ad12f204ad0b85580fc32137c647baaff044e95", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jupyter-lsp/jupyterlab-lsp/security/advisories/GHSA-4qhp-652w-c22x", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-23"}, {"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp."}, {"lang": "es", "value": "jupyter-lsp es una herramienta de asistencia de codificaci\u00f3n para JupyterLab (navegaci\u00f3n de c\u00f3digo + sugerencias de desplazamiento + linters + autocompletado + cambio de nombre) que utiliza el protocolo de servidor de idiomas. Las instalaciones de jupyter-lsp que se ejecutan en entornos sin control de acceso al sistema de archivos configurado (en el nivel del sistema operativo) y con instancias de jupyter-server expuestas a una red no confiable son vulnerables al acceso no autorizado y a la modificaci\u00f3n del sistema de archivos m\u00e1s all\u00e1 del directorio ra\u00edz de jupyter. Este problema se solucion\u00f3 en la versi\u00f3n 2.2.2 y se recomienda a todos los usuarios que actualicen. Los usuarios que no puedan actualizar deben desinstalar jupyter-lsp."}], "lastModified": "2024-01-30T15:22:32.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jupyter:language_server_protocol_integration:*:*:*:*:*:jupyter:*:*", "vulnerable": true, "matchCriteriaId": "8721BAB0-1BD7-4974-807D-514D81E81AC8", "versionEndExcluding": "2.2.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}