Jupyter Remote Desktop Proxy TigerVNC Network Access Vulnerability

A vulnerability in Jupyter Remote Desktop Proxy version 3.0.0 allows TigerVNC servers initiated by the proxy to be accessed over the network, contrary to the intended design of using UNIX sockets restricted to the current user. This issue does not occur when TurboVNC is used as the VNC server executable. The vulnerability has been addressed in version 3.0.1.

Impact

Exploitation of this vulnerability could lead to unauthorized network access to the VNC server, potentially allowing for remote control of the user's desktop session.

Reproduction

To reproduce this vulnerability, install Jupyter Remote Desktop Proxy version 3.0.0 and configure it to use TigerVNC as the VNC server. Once a session is started, the VNC server will be accessible over the network instead of being confined to a UNIX socket.

Remediation

Users can upgrade to Jupyter Remote Desktop Proxy version 3.0.1 or later, where this vulnerability has been fixed.