CVE-2022-24758Log File Information Exposure in Notebook

CWE-532Log File Information Exposure8 documents6 sources
Severity
7.5HIGHNVD
OSV6.1
EPSS
0.5%
top 34.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jupyter Notebook
Timeline
PublishedMar 31
Latest updateAug 30

Description

The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x c

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5jupyter/notebook< 6.4.10
NVDjupyter/notebook< 6.4.10
PyPIjupyter/notebook< 6.4.10

🔴Vulnerability Details

5
OSV
jupyter-notebook vulnerabilities2022-08-30
OSV
Sensitive Auth & Cookie data stored in Jupyter server logs2022-04-05
GHSA
Sensitive Auth & Cookie data stored in Jupyter server logs2022-04-05
CVEList
Insertion of Sensitive Information into Log File affects Jupyter Notebook2022-03-31
OSV
CVE-2022-24758: The Jupyter notebook is a web-based notebook environment for interactive computing2022-03-31

📋Vendor Advisories

2
Ubuntu
Jupyter Notebook vulnerabilities2022-08-30
Debian
CVE-2022-24758: jupyter-notebook - The Jupyter notebook is a web-based notebook environment for interactive computi...2022
CVE-2022-24758 — Log File Information Exposure | cvebase