Information disclosure in Jupyter Server - CVE-2022-29241

 

Information disclosure in Jupyter Server - CVE-2022-29241

Published: June 14, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130158
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-29241
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jupyter
Affected software:
Jupyter Server

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the underlying REST API when accessing known or guessable hidden files under a root_dir that contains the starting user's home directory. A remote user can guess or brute-force the Jupyter server PID to read the access token assigned at start time to disclose sensitive information.

Exploitation requires an authenticated user session and the server must be started with a root_dir that contains the starting user's home directory.


How to mitigate CVE-2022-29241

Install security update from vendor's website.

Sources