Bug 1218976 (CVE-2024-22415)

Summary: VUL-0: CVE-2024-22415: jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without confi ...
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Security Team bot <security-team>
Status: CONFIRMED --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: stoyan.manolov
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/391707/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-19 04:30:22 UTC 
jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol. Installations of jupyter-lsp running in environments without configured file system access control (on the operating system level), and with jupyter-server instances exposed to non-trusted network are vulnerable to unauthorised access and modification of file system beyond the jupyter root directory. This issue has been patched in version 2.2.2 and all users are advised to upgrade. Users unable to upgrade should uninstall jupyter-lsp.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-22415
https://github.com/jupyter-lsp/jupyterlab-lsp/security/advisories/GHSA-4qhp-652w-c22x
https://www.cve.org/CVERecord?id=CVE-2024-22415
https://github.com/jupyter-lsp/jupyterlab-lsp/commit/4ad12f204ad0b85580fc32137c647baaff044e95
Comment 1 OBSbugzilla Bot 2024-01-19 09:35:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1218976) was mentioned in
https://build.opensuse.org/request/show/1139869 Factory / python-jupyter-lsp
Comment 2 Benjamin Greiner 2024-01-19 10:53:42 UTC 
Fixed for Factory, reassigning back for the SUSE SLE15 maintainer, if there is one