Multiple CVEs on jupyter-server package that comes as a dependency with JEG #1388
Description
Summary
The recent version of jupyter enterprise gateway (JEG - 3.2.3) has a dependency on the vulnerable jupyter server version - 1.24.0 (please find CVE below)
Details
The recent version of jupyter enterprise gateway has a dependency on the vulnerable jupyter server version - 1.24.0 (please find CVEs below). Trying to upgrade the jupyter-server to the recent version is giving compatibility issues with JEG. It is giving the error - jupyter-enterprise-gateway 3.2.3 requires jupyter-server<2.0,>=1.7, but you have jupyter-server 2.14.1 which is incompatible.
Please help upgrade the jeg version to work with the recent version on jupyter server.
| CVE | Score | Pub_Date | Severity | Exploitability | Exploit Type | Package | Package Version | Fixed Version | Package Path |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-35178 | 7.5 | 2024-06-06 | high | jupyter-server | 1.24.0 | 2.14.1 | /usr/local/python3/lib/python3.11/site-packages/jupyter_server | ||
| CVE-2023-39968 | 6.1 | 2023-08-28 | medium | jupyter-server | 1.24.0 | 2.7.2 | /usr/local/python3/lib/python3.11/site-packages/jupyter_server | ||
| CVE-2023-40170 | 6.1 | 2023-08-28 | medium | jupyter-server | 1.24.0 | 2.7.2 | /usr/local/python3/lib/python3.11/site-packages/jupyter_server | ||
| CVE-2023-49080 | 4.3 | 2023-12-04 | medium | jupyter-server | 1.24.0 | 2.11.2 | /usr/local/python3/lib/python3.11/site-packages/jupyter_server |