jupyter-scheduler@1.1.3 vulnerabilities

A JupyterLab extension for running notebook jobs

Direct Vulnerabilities

Known vulnerabilities in the jupyter-scheduler package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Exposure of Sensitive Information to an Unauthorized Actor

jupyter-scheduler is an A JupyterLab extension for running notebook jobs

Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor due to improper authentication check on the endpoint /scheduler/runtime_environments. Exploiting this vulnerability allows an unauthenticated attacker to obtain the list of Conda environment names on the server

Note

This issue does not allow an unauthenticated third party to read, modify, or enter the Conda environments present on the server where jupyter_scheduler is running. This issue only reveals the list of Conda environment names.

How to fix Exposure of Sensitive Information to an Unauthorized Actor?

Upgrade jupyter-scheduler to version 1.1.6, 1.2.1, 1.8.2, 2.5.2 or higher.

[,1.1.6) [1.2.0,1.2.1) [1.3.0,1.8.2) [2.0.0,2.5.2)