Advisories for Pypi/Jupyter-Scheduler package

2024

jupyter-scheduler's endpoint is missing authentication

jupyter_scheduler is missing an authentication check in Jupyter Server on an API endpoint (GET /scheduler/runtime_environments) which lists the names of the Conda environments on the server. In affected versions, jupyter_scheduler allows an unauthenticated user to obtain the list of Conda environment names on the server. This reveals any information that may be present in a Conda environment name. This issue does not allow an unauthenticated third party to read, modify, …