Relative Path Traversal Affecting jupyterlab-lsp package, versions [,5.0.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.09% (40th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-JUPYTERLABLSP-6180562
  • published 25 Jan 2024
  • disclosed 18 Jan 2024
  • credit Bary Levy

How to fix?

Upgrade jupyterlab-lsp to version 5.0.2 or higher.

Overview

jupyterlab-lsp is a Coding assistance for JupyterLab with Language Server Protocol

Affected versions of this package are vulnerable to Relative Path Traversal due configured file system without access control on the operating system level and jupyter-server instances exposed to non-trusted network. An unauthorised attacker could gain access and modify the file system beyond the jupyter root directory.

Workaround

Users of jupyterlab who do not use jupyterlab-lsp can uninstall jupyter-lsp.

References

CVSS Scores

version 3.1
Expand this section

Snyk

8.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    Low
  • Integrity (I)
    Low
  • Availability (A)
    Low
Expand this section

NVD

9.8 critical