CVE-2022-24758 – notebook

Package

Manager: pip
Name: notebook
Vulnerable Version: >=0 <6.4.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00169 pctl0.38622

Details

Sensitive Auth & Cookie data stored in Jupyter server logs Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Upgrade to notebook version 6.4.10 ### For more information If you have any questions or comments about this advisory, or vulnerabilities to report, please email our security list [security@ipython.org](mailto:security@ipython.org). Credit: @3coins for reporting. Thank you!

Metadata

Created: 2022-04-05T17:47:26Z
Modified: 2022-04-05T17:47:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-m87f-39q9-6f55/GHSA-m87f-39q9-6f55.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-m87f-39q9-6f55
Finding: F042
Auto approve: 1