CVE-2024-28179: 
Python vulnerability analysis and mitigation

Jupyter Server Proxy (versions <=4.1.0 and <=3.2.2) contains a critical authentication bypass vulnerability (CVE-2024-28179) discovered in March 2024. The software, which allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access, failed to properly validate user authentication when proxying websockets, allowing unauthenticated access to anyone with network access to the Jupyter server endpoint (GitHub Advisory).

The vulnerability stems from a missing authentication check when handling websocket connections. While HTTP requests properly required authentication, websocket requests could bypass this security control entirely. The issue has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) by NIST and 9.0 CRITICAL (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) by GitHub. The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function) (NVD).

This vulnerability allows unauthenticated remote access to any websocket endpoint configured through Jupyter Server Proxy. In many deployments, particularly those using applications like RStudio via jupyter-rsession-proxy or Linux Desktop/VNC via jupyter-remote-desktop-proxy, this can lead to remote unauthenticated arbitrary code execution. The websocket endpoints exposed by jupyter_server itself are not affected, and projects that don't rely on websockets remain unimpacted (GitHub Advisory).

Users should upgrade to the patched versions: either version 3.2.3 or 4.1.1 and restart any running Jupyter server. For JupyterHub administrators, specific guidance is provided for both TLJH and Z2JH installations, including steps to check for vulnerability, apply patches, and handle running user servers. Organizations should note that they may be vulnerable even if not directly depending on jupyter-server-proxy, as it might be pulled in as a dependency by other packages (GitHub Advisory).