Notebook
CVE-2022-24758
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 7 pypi packages depend on notebook (7 direct, 0 indirect)
Ecosystem-wide dependent count for version 6.4.10.
DescriptionNVD
The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
AnalysisAI
The Jupyter notebook is a web-based notebook environment for interactive computing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-532. The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds. Affected products include: Jupyter Notebook. Version information: version 6.4.9.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
The Jupyter notebook is a web-based notebook environment for interactive computing. Rated critical severity (CVSS 9.6),
In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. Rated medium severity (CVSS 6.1), this
Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2
In Jupyter Notebook before 5.4.1, a maliciously forged notebook file can bypass sanitization to execute JavaScript in th
The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute a
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Ar
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Archit
JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Ar
Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnera
An Open Redirect vulnerability for all browsers in Jupyter Notebook before 5.7.7 and some browsers (Chrome, Firefox) in
Jupyter Notebook before 5.7.2 allows XSS via a crafted directory name because notebook/static/tree/js/notebooklist.js ha
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have th
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today