CVE-2024-22415 – CVE-2024-22415 is a path traversal vulnerabilit... (How to Fix)

📋 TL;DR

CVE-2024-22415 is a path traversal vulnerability in jupyter-lsp that allows attackers to access and modify files outside the Jupyter root directory when Jupyter servers are exposed to untrusted networks. This affects installations without proper OS-level file system access controls. All users running vulnerable versions are at risk.

💻 Affected Systems

Products:

jupyter-lsp
jupyterlab-lsp

Versions: All versions before 2.2.2

Operating Systems: All operating systems running Jupyter

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when Jupyter server is exposed to untrusted networks AND OS file system access controls are not properly configured.

📦 What is this software?

Language Server Protocol Integration by Jupyter

View all CVEs affecting Language Server Protocol Integration →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the host file system, allowing attackers to read sensitive files, modify system configurations, install malware, or exfiltrate data.

🟠

Likely Case

Unauthorized access to project files, configuration files, and potentially sensitive data stored on the same system as the Jupyter server.

🟢

If Mitigated

No impact if proper network segmentation and file system permissions are configured, or if the vulnerability is patched.

🌐 Internet-Facing: HIGH - Jupyter servers exposed to the internet with vulnerable versions are easily exploitable by remote attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the Jupyter server.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Path traversal vulnerabilities are typically straightforward to exploit once discovered. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.2

Vendor Advisory: https://github.com/jupyter-lsp/jupyterlab-lsp/security/advisories/GHSA-4qhp-652w-c22x

Restart Required: Yes

Instructions:

1. Update jupyter-lsp: pip install --upgrade jupyter-lsp==2.2.2
2. Restart Jupyter server
3. Verify the update with: pip show jupyter-lsp

🔧 Temporary Workarounds

Network Isolation

all

Restrict Jupyter server access to trusted networks only

Configure firewall rules to limit Jupyter server access to specific IP ranges

File System Permissions

linux

Implement strict OS-level file system access controls

chmod 700 /path/to/jupyter/root
chown jupyter_user:jupyter_group /path/to/jupyter/root

🧯 If You Can't Patch

Uninstall jupyter-lsp completely if patching is not possible
Implement strict network access controls and isolate Jupyter servers from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check jupyter-lsp version: pip show jupyter-lsp | grep Version

Check Version:

pip show jupyter-lsp | grep Version

Verify Fix Applied:

Verify version is 2.2.2 or higher: pip show jupyter-lsp | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in Jupyter logs
Requests attempting to access paths with '../' sequences

Network Indicators:

External connections to Jupyter server ports (typically 8888)

SIEM Query:

source="jupyter" AND (path="*../*" OR uri="*../*")

📊 Metadata

CVE ID: CVE-2024-22415

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-23

Published: January 18, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22415, you might also want to check these: