CVE-2022-29241

Name of the Vulnerable Software and Affected Versions Jupyter Server versions prior to 1.17.1 Jupyter Notebook versions 6.4.0 through 6.4.11 Jupyter Lab versions 6.4.0 through 6.4.11

Description The issue allows an attacker to leak the access token assigned at start time by guessing or brute forcing the PID of the Jupyter server, if the notebook server is started with a value of root dir that contains the starting user's home directory. This requires an authenticated user session and can be used from a cross-site scripting payload or from a hooked or otherwise compromised browser to leak the access token to a malicious third party. The token can be used along with the REST API to interact with Jupyter services/notebooks, such as modifying or overwriting critical files, allowing a malicious user to read potentially sensitive data and possibly gain control of the impacted system.

Recommendations For Jupyter Server versions prior to 1.17.1, update to version 1.17.1 or later to resolve the issue. For Jupyter Notebook versions 6.4.0 through 6.4.11, update to a version later than 6.4.11 to resolve the issue. For Jupyter Lab versions 6.4.0 through 6.4.11, update to a version later than 6.4.11 to resolve the issue. As a temporary workaround, consider restricting access to the REST API or disabling the root dir feature that contains the starting user's home directory until a patch is available.