SB2022061473 - Information disclosure in Jupyter Server

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2022-29241)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the underlying REST API when accessing known or guessable hidden files under a root_dir that contains the starting user's home directory. A remote user can guess or brute-force the Jupyter server PID to read the access token assigned at start time to disclose sensitive information.

Exploitation requires an authenticated user session and the server must be started with a root_dir that contains the starting user's home directory.

Remediation

Install update from vendor's website.

References

• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g
• https://github.com/advisories/GHSA-q874-g24w-4q9g