CVE-2022-29241

Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version 1.17.1, if notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the underlying REST API can be used to leak the access token assigned at start time by guessing/brute forcing the PID of the jupyter server. While this requires an authenticated user session, this URL can be used from a cross-site scripting payload or from a hooked or otherwise compromised browser to leak this access token to a malicious third party. This token can be used along with the REST API to interact with Jupyter services/notebooks such as modifying or overwriting critical files, such as .bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially sensitive data and possibly gain control of the impacted system. This issue is patched in version 1.17.1.

CVSS v3 7.1 HIGH
CVSS v2.0 9.0 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.0^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:S/C:C/I:C/A:C

Exploitability : 8.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g	Third Party Advisory
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:58

Type	Values Removed	Values Added
CVSS	v2 : ~~9.0~~ v3 : ~~8.8~~	v2 : 9.0 v3 : 7.1
References	~~() https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g - Third Party Advisory~~	() https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g - Third Party Advisory

Information

Published : 2022-06-14 21:15

Updated : 2024-11-21 06:58

NVD link : CVE-2022-29241

Mitre link : CVE-2022-29241

CVE.ORG link : CVE-2022-29241

JSON object : View

Products Affected

jupyter

jupyter_server

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2022-29241", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-06-14T21:15:15.900", "references": [{"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version 1.17.1, if notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the underlying REST API can be used to leak the access token assigned at start time by guessing/brute forcing the PID of the jupyter server. While this requires an authenticated user session, this URL can be used from a cross-site scripting payload or from a hooked or otherwise compromised browser to leak this access token to a malicious third party. This token can be used along with the REST API to interact with Jupyter services/notebooks such as modifying or overwriting critical files, such as .bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially sensitive data and possibly gain control of the impacted system. This issue is patched in version 1.17.1."}, {"lang": "es", "value": "Jupyter Server proporciona el backend (es decir, los servicios centrales, las API y los endpoints REST) para las aplicaciones web de Jupyter como Jupyter Notebook. En versiones anteriores a 1.17.1, si el servidor de Notebook es iniciado con un valor de \"root_dir\" que conten\u00eda el directorio de inicio del usuario, entonces la API REST subyacente pod\u00eda usarse para filtrar el token de acceso asignado en el momento del inicio adivinando/forzando el PID del servidor Jupyter. Mientras que esto requiere una sesi\u00f3n de usuario autenticada, esta URL puede ser usada desde una carga \u00fatil de tipo cross-site scripting o desde un navegador enganchado o comprometido de alguna manera para filtrar este token de acceso a un tercero malicioso. Este token puede ser usado junto con la API REST para interactuar con los servicios/notebooks de Jupyter, como modificar o sobrescribir archivos cr\u00edticos, como .bashrc o .ssh/authorized_keys, permitiendo a un usuario malicioso leer datos potencialmente confidenciales y posiblemente obtener el control del sistema impactado. Este problema est\u00e1 parcheado en versi\u00f3n 1.17.1"}], "lastModified": "2024-11-21T06:58:47.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B2EEB35-5530-4C7A-889C-911ADEFD923E", "versionEndExcluding": "1.17.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

7.1 /10