AVID-2026-R1425

Description

Unsecured endpoints in the jupyter-lsp server extension (CVE-2024-22415)

Details

jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp.

Reason for inclusion in AVID: CVE-2024-22415 describes an unauthenticated access and path traversal vulnerability in the jupyter-lsp extension used with JupyterLab, a component commonly involved in AI model development, experimentation, and deployment workflows. This affects software stack components (AI development tooling) that can be part of the supply chain for general-purpose AI systems, and it is clearly a security vulnerability with publicly documented evidence and a patch. Therefore it satisfies AVID criteria for AI-related, GI/GP AI supply-chain, security/safety vulnerability with sufficient evidence.

References

• NVD entry
• https://github.com/jupyter-lsp/jupyterlab-lsp/security/advisories/GHSA-4qhp-652w-c22x
• https://github.com/jupyter-lsp/jupyterlab-lsp/commit/4ad12f204ad0b85580fc32137c647baaff044e95

Affected or Relevant Artifacts

• Developer: jupyter-lsp
• Deployer: jupyter-lsp
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-01-18
• Version: 0.3.3
• AVID Entry