Skip to main content

Notebook CVE-2022-24758

HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2022-03-31 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 31, 2022 - 23:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 pypi packages depend on notebook (7 direct, 0 indirect)

Ecosystem-wide dependent count for version 6.4.10.

DescriptionNVD

The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.

AnalysisAI

The Jupyter notebook is a web-based notebook environment for interactive computing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-532. The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds. Affected products include: Jupyter Notebook. Version information: version 6.4.9.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2021-32798 CRITICAL POC
9.6 Aug 09

The Jupyter notebook is a web-based notebook environment for interactive computing. Rated critical severity (CVSS 9.6),

CVE-2019-10856 MEDIUM POC
6.1 Apr 04

In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. Rated medium severity (CVSS 6.1), this

CVE-2015-6938 MEDIUM POC
4.3 Sep 21

Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2

CVE-2018-8768 HIGH
7.8 Mar 18

In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in th

CVE-2015-7337 MEDIUM
6.8 Sep 29

The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute a

CVE-2024-22421 MEDIUM
6.5 Jan 19

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Ar

CVE-2024-43805 MEDIUM
6.1 Aug 28

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Archit

CVE-2024-22420 MEDIUM
6.1 Jan 19

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Ar

CVE-2020-26215 MEDIUM
6.1 Nov 18

Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnera

CVE-2019-10255 MEDIUM
6.1 Mar 28

An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in

CVE-2018-19352 MEDIUM
6.1 Nov 18

Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js ha

CVE-2018-19351 MEDIUM
6.1 Nov 18

Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have th

Share

CVE-2022-24758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy