A Local Privilege Escalation vulnerability exists in Jupyter Extension 2023.10.10* and earlier versions expose certain information in the command line arguments of the Kernel Process spawned that allow other users with lower privileges to spy on the (Jupyter Kernel) process created by another user on the same machine and impersonate VS Code.
Patches
The fix is available starting with Jupyter Extension 2023.10.1100000000. The fix (0b25b2a) mitigates this attack by not exposing the session key in the command line arguments of the Python process used to start the Jupyter Kernel.
Workarounds
Do not share your machine with other users.
References
A Local Privilege Escalation vulnerability exists in Jupyter Extension 2023.10.10* and earlier versions expose certain information in the command line arguments of the Kernel Process spawned that allow other users with lower privileges to spy on the (Jupyter Kernel) process created by another user on the same machine and impersonate VS Code.
Patches
The fix is available starting with Jupyter Extension 2023.10.1100000000. The fix (0b25b2a) mitigates this attack by not exposing the session key in the command line arguments of the Python process used to start the Jupyter Kernel.
Workarounds
Do not share your machine with other users.
References