CVE-2022-24758: Insertion of Sensitive Information into Log File affects Jupyter Notebook
Jupyter Notebook could allow a remote attacker to obtain sensitive information, caused by the storage of auth cookie and other header values in the log files when a 5xx error is triggered. By gaining access to the log files, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Other sources
The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.
Affected Software
Event History
Frequently Asked Questions
What is CVE-2022-24758?
CVE-2022-24758 is a vulnerability in Jupyter Notebook that could allow a remote attacker to obtain sensitive information from server logs.
How does CVE-2022-24758 impact Jupyter Notebook?
CVE-2022-24758 allows unauthorized actors to access sensitive information, including authentication cookies and header values, from server logs.
What is the severity of CVE-2022-24758?
CVE-2022-24758 has a severity score of 7.5 (High).
Which software versions are affected by CVE-2022-24758?
Jupyter Notebook versions up to and excluding 6.4.10, IBM Cognos Analytics 11.2.x, and IBM Cognos Analytics 11.1.x are affected by CVE-2022-24758.
How can I mitigate CVE-2022-24758?
To mitigate CVE-2022-24758, you should upgrade Jupyter Notebook to version 6.4.10 or later and apply any relevant security patches for IBM Cognos Analytics.