CVE-2022-29241 – jupyter-server

Package

Manager: pip
Name: jupyter-server
Vulnerable Version: >=0 <1.17.1 || =2.0.0a0 || >=2.0.0a0 <2.0.0a1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00244 pctl0.47538

Details

Jupyter server Token bruteforcing Affects: Notebook and Lab between 6.4.0?(potentially earlier) and 6.4.11 (currently latest). Jupyter Server <=1.16.0. If I am correct about the responsible code it will affect Jupyter-Server 1.17.0 and 2.0.0a0 as well. Description: If notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the underlying REST API can be used to leak the access token assigned at start time by guessing/brute forcing the PID of the jupyter server. While this requires an authenticated user session, this url can be used from an xss payload (as in CVE-2021-32798) or from a hooked or otherwise compromised browser to leak this access token to a malicious third party. This token can be used along with the REST API to interact with Jupyter services/notebooks such as modifying or overwriting critical files, such as .bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially sensitive data and possibly gain control of the impacted system.

Metadata

Created: 2022-06-16T23:13:57Z
Modified: 2023-10-26T13:29:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-q874-g24w-4q9g/GHSA-q874-g24w-4q9g.json
CWE IDs: []
Alternative ID: GHSA-q874-g24w-4q9g
Finding: F280
Auto approve: 1