CVE-2022-24758 Information

Description

The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9 unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access an attacker can monitor these logs steal sensitive auth/cookie information and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/jupyter/notebook/security/advisories/GHSA-m87f-39q9-6f55

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5