Home » Database

AVID-2026-R1450

Description

jupyter-scheduler’s endpoint is missing authentication (CVE-2024-28188)

Details

Jupyter Scheduler is collection of extensions for programming jobs to run now or run on a schedule. The list of conda environments of jupyter-scheduler users maybe be exposed, potentially revealing information about projects that a specific user may be working on. This vulnerability has been patched in version(s) 1.1.6, 1.2.1, 1.8.2 and 2.5.2.

Reason for inclusion in AVID: CVE-2024-28188 concerns jupyter-scheduler, a software component commonly used in AI workflows (Jupyter-based job scheduling). The vulnerability describes an unauthenticated endpoint that can expose sensitive information (e.g., conda environments), a network vulnerability with potential impact on AI pipelines. It affects components used to build/run AI systems and has published patches, with CVE/NVD references. This provides sufficient signal for AI-specific supply-chain curation.

References

Affected or Relevant Artifacts

  • Developer: jupyter-server
  • Deployer: jupyter-server
  • Artifact Details:
TypeName
Systemjupyter-scheduler

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.1
Vector StringCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score5.3
Base Severity🟠 Medium
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🟢 Low
Integrity ImpactNONE
Availability ImpactNONE

CWE

IDDescription
CWE-200CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-287CWE-287: Improper Authentication

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-05-23
  • Version: 0.3.3
  • AVID Entry