Information disclosure in Jupyter Server - CVE-2022-29241
Published: June 14, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130158
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-29241
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Jupyter Server
Jupyter Server
Software vendor:
Jupyter
Jupyter
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the underlying REST API when accessing known or guessable hidden files under a root_dir that contains the starting user's home directory. A remote user can guess or brute-force the Jupyter server PID to read the access token assigned at start time to disclose sensitive information.
Exploitation requires an authenticated user session and the server must be started with a root_dir that contains the starting user's home directory.
Remediation
Install security update from vendor's website.