Описание
TigerVNC accessible via the network and not just via a UNIX socket as intended
Summary
jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network.
This vulnerability does not affect users having TurboVNC as the vncserver executable.
Credits
This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.
Пакеты
jupyter-remote-desktop-proxy
= 3.0.0
3.0.1
Связанные уязвимости
Jupyter Remote Desktop Proxy allows you to run a Linux Desktop on a JupyterHub. jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network. This vulnerability does not affect users having TurboVNC as the vncserver executable. This issue is fixed in 3.0.1.
Уязвимость программного обеспечения для удаленного доступа к рабочему столу Jupyter Remote Desktop Proxy, связанная с целочисленным переполнением, позволяющая нарушителю оказать влияние на конфиденциальность, доступность и целостность защищаемой информации