Bug 1200548 (CVE-2022-29241)

Summary: VUL-0: CVE-2022-29241: python-jupyter-server: potential access token leak
Product: [openSUSE] openSUSE Tumbleweed Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Benjamin Greiner <code>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/334578/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-06-15 06:58:56 UTC 
CVE-2022-29241

Jupyter Server provides the backend (i.e. the core services, APIs, and REST
endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version
1.17.1, if notebook server is started with a value of `root_dir` that contains
the starting user's home directory, then the underlying REST API can be used to
leak the access token assigned at start time by guessing/brute forcing the PID
of the jupyter server. While this requires an authenticated user session, this
URL can be used from a cross-site scripting payload or from a hooked or
otherwise compromised browser to leak this access token to a malicious third
party. This token can be used along with the REST API to interact with Jupyter
services/notebooks such as modifying or overwriting critical files, such as
.bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially
sensitive data and possibly gain control of the impacted system. This issue is
patched in version 1.17.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29241
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-q874-g24w-4q9g
Comment 1 Benjamin Greiner 2022-06-15 09:16:26 UTC 
sr#982746
Comment 2 OBSbugzilla Bot 2022-06-15 10:40:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1200548) was mentioned in
https://build.opensuse.org/request/show/982746 Factory / python-jupyter-server
Comment 3 Benjamin Greiner 2022-06-20 16:38:45 UTC 
it's in Factory