Source: jupyter-notebook X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for jupyter-notebook. CVE-2022-24758[0]: | The Jupyter notebook is a web-based notebook environment for | interactive computing. Prior to version 6.4.9, unauthorized actors can | access sensitive information from server logs. Anytime a 5xx error is | triggered, the auth cookie and other header values are recorded in | Jupyter server logs by default. Considering these logs do not require | root access, an attacker can monitor these logs, steal sensitive | auth/cookie information, and gain access to the Jupyter server. | Jupyter notebook version 6.4.x contains a patch for this issue. There | are currently no known workarounds. https://github.com/jupyter/notebook/security/advisories/GHSA-m87f-39q9-6f55 https://github.com/jupyter/notebook/commit/c219ce43c1ea25123fa70d264e7735bdf4585b1e (6.4.10) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24758 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24758 Please adjust the affected versions in the BTS as needed.