Vulnerability Details : CVE-2022-24758
The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
Products affected by CVE-2022-24758
- cpe:2.3:a:jupyter:notebook:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24758
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24758
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2022-24758
-
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-24758
-
https://github.com/jupyter/notebook/security/advisories/GHSA-m87f-39q9-6f55
Sensitive Auth & Cookie data stored in Jupyter server logs · Advisory · jupyter/notebook · GitHubThird Party Advisory
Jump to