CVE-2024-35178: 
Python vulnerability analysis and mitigation

The Jupyter Server, which provides the backend for Jupyter web applications like Jupyter Notebook and JupyterLab, contains a vulnerability (CVE-2024-35178) that affects Windows systems. The vulnerability allows unauthenticated attackers to leak the NTLMv2 password hash of the Windows user running the Jupyter server. This security issue was discovered in versions 2.14.0 and earlier, with a fix released in version 2.14.1 (GitHub Advisory).

The vulnerability exists in the file handling mechanism of Jupyter Server on Windows systems. When serving static files, Jupyter Server implements a custom FileFindHandler that extends Tornado's built-in StaticFileHandler. The issue occurs in the filefind function where file system operations are performed on insufficiently validated input before verifying that the user-provided path is within a restricted directory. This allows attackers to trigger SMB callbacks to attacker-controlled servers by providing specially crafted UNC paths (Horizon3).

The vulnerability has significant security implications as it allows attackers to capture the NTLMv2 hash of the Windows user running the Jupyter server. This hash can be either cracked to reveal the plaintext password, potentially giving attackers access to the Windows machine hosting the Jupyter server, or used in NTLM relay attacks to gain access to other network-accessible machines or third-party services using those credentials (GitHub Advisory).

The vulnerability has been fixed in Jupyter Server version 2.14.1. Organizations should upgrade to this version or later immediately. Additionally, it is recommended to configure host/network firewalls to block SMB traffic going out to the Internet to prevent exploitation of forced Windows authentication vulnerabilities in general (Horizon3).