PT-2022-16859 · Unknown+1 · Jupyter Server+1

3Coins

Published

2022-03-23

Updated

2022-04-04

CVE-2022-24757

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jupyter Server versions prior to 1.15.4

Description The Jupyter Server is vulnerable to unauthorized access of sensitive information from server logs. When a 5xx error occurs, the auth cookie and other header values are recorded in the logs by default. Since these logs do not require root access, an attacker can monitor them, steal sensitive auth/cookie information, and gain access to the Jupyter server.

Recommendations Upgrade to Jupyter Server version 1.15.4 to resolve the issue. As a temporary workaround, consider restricting access to the server logs to minimize the risk of exploitation.

Exploit

Fix

Insertion into Log File

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-532

Related Identifiers

CVE-2022-24757

GHSA-P737-P57G-4CPR

PYSEC-2022-179

Affected Products

Debian

Jupyter Server

PT-2022-16859 · Unknown+1 · Jupyter Server+1

CVE-2022-24757

Weakness Enumeration

Related Identifiers

Affected Products

References · 15