CVE-2022-29238 — Forced Browsing in Notebook

CWE-425 — Forced Browsing CWE-424 — Improper Protection of Alternate Path CWE-284 — Improper Access Control11 documents7 sources

Severity

4.3MEDIUMNVD

OSV6.1

EPSS

0.4%

top 39.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jupyter Notebook

Timeline

PublishedJun 14

Latest updateAug 30

Description

Jupyter Notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.12, authenticated requests to the notebook server with `ContentsManager.allow_hidden = False` only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5jupyter/notebook< 6.4.12

▶NVDjupyter/notebook< 6.4.12

▶PyPIjupyter/notebook< 6.4.12

🔴Vulnerability Details

OSV

jupyter-notebook vulnerabilities↗2022-08-30

▶

GHSA

Token bruteforcing.↗2022-06-16

▶

OSV

Token bruteforcing.↗2022-06-16

▶

CVEList

Forced Browsing in Jupyter Notebook↗2022-06-14

▶

OSV

CVE-2022-29238: Jupyter Notebook is a web-based notebook environment for interactive computing↗2022-06-14

▶

📋Vendor Advisories

Ubuntu

Jupyter Notebook vulnerabilities↗2022-08-30

▶

Debian

CVE-2022-29238: jupyter-notebook - Jupyter Notebook is a web-based notebook environment for interactive computing. ...↗2022

▶

📐Framework References

CWE

Improper Protection of Alternate Path↗

▶

CWE

Direct Request ('Forced Browsing')↗

▶

CWE

Improper Access Control↗

▶