CVE-2024-28188
MEDIUMjupyter-scheduler < 1.1.6, 1.2.1, 1.8.2, 2.5.2 - Exposure of Sensitive Information via Conda Environment List
Title source: llmDescription
Jupyter Scheduler is collection of extensions for programming jobs to run now or run on a schedule. The list of conda environments of `jupyter-scheduler` users maybe be exposed, potentially revealing information about projects that a specific user may be working on. This vulnerability has been patched in version(s) 1.1.6, 1.2.1, 1.8.2 and 2.5.2.
References (2)
Core 2
Core References
Issue Tracking x_refsource_misc
https://github.com/jupyter-server/jupyter_server/pull/1392
Vendor Advisory x_refsource_confirm
https://github.com/jupyter-server/jupyter-scheduler/security/advisories/GHSA-v9g2-g7j4-4jxc
Scores
CVSS v3
5.3
EPSS
0.0018
EPSS Percentile
39.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
CWE-287
Status
published
Products (5)
jupyter-server/jupyter-scheduler
= 1.2.0
jupyter-server/jupyter-scheduler
>= 1.0.0, <= 1.1.5
jupyter-server/jupyter-scheduler
>= 1.3.0, <= 1.8.1
jupyter-server/jupyter-scheduler
>= 2.0.0, <= 2.5.1
pypi/jupyter-scheduler
1.0.0 - 1.1.6PyPI
Published
May 23, 2024
Tracked Since
Feb 18, 2026