{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46845?format=json","vulnerability_id":"VCID-rjsn-zkpw-sbbh","summary":"Unsecured endpoints in the jupyter-lsp server extension\n### Impact\nInstallations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network is vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. Please note this vulnerability is in the extension and is patched in version 2.2.2 of that extension. This extension has been updated in jupyterlab-lsp version 5.0.2.\n\n### Patches\nVersion 2.2.2 has been patched.\n\n### Workarounds\nUsers of jupyterlab who do not use jupyterlab-lsp can uninstall jupyter-lsp.\n\n### Credits\nWe would like to credit Bary Levy, researcher of pillar.security research team, for the discovery and responsible disclosure of this vulnerability.","aliases":[{"alias":"CVE-2024-22415"},{"alias":"GHSA-4qhp-652w-c22x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/68542?format=json","purl":"pkg:pypi/jupyter-lsp@2.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@2.2.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/708062?format=json","purl":"pkg:pypi/jupyter-lsp@0.6.0b0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@0.6.0b0"},{"url":"http://public2.vulnerablecode.io/api/packages/708063?format=json","purl":"pkg:pypi/jupyter-lsp@0.7.0b0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@0.7.0b0"},{"url":"http://public2.vulnerablecode.io/api/packages/708064?format=json","purl":"pkg:pypi/jupyter-lsp@0.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@0.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708065?format=json","purl":"pkg:pypi/jupyter-lsp@0.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@0.8.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708066?format=json","purl":"pkg:pypi/jupyter-lsp@0.9.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@0.9.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708067?format=json","purl":"pkg:pypi/jupyter-lsp@0.9.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@0.9.1"},{"url":"http://public2.vulnerablecode.io/api/packages/708068?format=json","purl":"pkg:pypi/jupyter-lsp@0.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@0.9.2"},{"url":"http://public2.vulnerablecode.io/api/packages/708069?format=json","purl":"pkg:pypi/jupyter-lsp@0.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@0.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/708070?format=json","purl":"pkg:pypi/jupyter-lsp@1.0.0rc0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.0.0rc0"},{"url":"http://public2.vulnerablecode.io/api/packages/708071?format=json","purl":"pkg:pypi/jupyter-lsp@1.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708072?format=json","purl":"pkg:pypi/jupyter-lsp@1.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708073?format=json","purl":"pkg:pypi/jupyter-lsp@1.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/708074?format=json","purl":"pkg:pypi/jupyter-lsp@1.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.1.2"},{"url":"http://public2.vulnerablecode.io/api/packages/708075?format=json","purl":"pkg:pypi/jupyter-lsp@1.1.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.1.3"},{"url":"http://public2.vulnerablecode.io/api/packages/708076?format=json","purl":"pkg:pypi/jupyter-lsp@1.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.1.4"},{"url":"http://public2.vulnerablecode.io/api/packages/708077?format=json","purl":"pkg:pypi/jupyter-lsp@1.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708078?format=json","purl":"pkg:pypi/jupyter-lsp@1.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.3.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708079?format=json","purl":"pkg:pypi/jupyter-lsp@1.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.4.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708080?format=json","purl":"pkg:pypi/jupyter-lsp@1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/708081?format=json","purl":"pkg:pypi/jupyter-lsp@1.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708082?format=json","purl":"pkg:pypi/jupyter-lsp@1.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@1.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/708083?format=json","purl":"pkg:pypi/jupyter-lsp@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708084?format=json","purl":"pkg:pypi/jupyter-lsp@2.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@2.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/708085?format=json","purl":"pkg:pypi/jupyter-lsp@2.1.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@2.1.0"},{"url":"http://public2.vulnerablecode.io/api/packages/708086?format=json","purl":"pkg:pypi/jupyter-lsp@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@2.2.0"},{"url":"http://public2.vulnerablecode.io/api/packages/68541?format=json","purl":"pkg:pypi/jupyter-lsp@2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rjsn-zkpw-sbbh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyter-lsp@2.2.1"}],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22415","reference_id":"","reference_type":"","scores":[{"value":"0.00167","scoring_system":"epss","scoring_elements":"0.37507","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00167","scoring_system":"epss","scoring_elements":"0.37494","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00167","scoring_system":"epss","scoring_elements":"0.37534","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00167","scoring_system":"epss","scoring_elements":"0.37563","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00167","scoring_system":"epss","scoring_elements":"0.37566","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22415"},{"reference_url":"https://github.com/jupyter-lsp/jupyterlab-lsp","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jupyter-lsp/jupyterlab-lsp"},{"reference_url":"https://github.com/jupyter-lsp/jupyterlab-lsp/commit/4ad12f204ad0b85580fc32137c647baaff044e95","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-10T20:42:53Z/"}],"url":"https://github.com/jupyter-lsp/jupyterlab-lsp/commit/4ad12f204ad0b85580fc32137c647baaff044e95"},{"reference_url":"https://github.com/jupyter-lsp/jupyterlab-lsp/releases/tag/v5.0.2","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jupyter-lsp/jupyterlab-lsp/releases/tag/v5.0.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22415","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22415"},{"reference_url":"https://github.com/advisories/GHSA-4qhp-652w-c22x","reference_id":"GHSA-4qhp-652w-c22x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4qhp-652w-c22x"},{"reference_url":"https://github.com/jupyter-lsp/jupyterlab-lsp/security/advisories/GHSA-4qhp-652w-c22x","reference_id":"GHSA-4qhp-652w-c22x","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-10T20:42:53Z/"}],"url":"https://github.com/jupyter-lsp/jupyterlab-lsp/security/advisories/GHSA-4qhp-652w-c22x"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":22,"name":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","description":"The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory."},{"cwe_id":23,"name":"Relative Path Traversal","description":"The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory."},{"cwe_id":284,"name":"Improper Access Control","description":"The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor."},{"cwe_id":306,"name":"Missing Authentication for Critical Function","description":"The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources."}],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":"0.5","weighted_severity":"8.0","risk_score":4.0,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rjsn-zkpw-sbbh"}