Bug 1200548 - (CVE-2022-29241) VUL-0: CVE-2022-29241: python-jupyter-server: potential access token leak
VUL-0: CVE-2022-29241: python-jupyter-server: potential access token leak
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Benjamin Greiner
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-06-15 06:58 UTC by Carlos López
Modified: 2022-06-20 16:38 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-06-15 06:58:56 UTC

Jupyter Server provides the backend (i.e. the core services, APIs, and REST
endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version
1.17.1, if notebook server is started with a value of `root_dir` that contains
the starting user's home directory, then the underlying REST API can be used to
leak the access token assigned at start time by guessing/brute forcing the PID
of the jupyter server. While this requires an authenticated user session, this
URL can be used from a cross-site scripting payload or from a hooked or
otherwise compromised browser to leak this access token to a malicious third
party. This token can be used along with the REST API to interact with Jupyter
services/notebooks such as modifying or overwriting critical files, such as
.bashrc or .ssh/authorized_keys, allowing a malicious user to read potentially
sensitive data and possibly gain control of the impacted system. This issue is
patched in version 1.17.1.

Comment 1 Benjamin Greiner 2022-06-15 09:16:26 UTC
Comment 2 OBSbugzilla Bot 2022-06-15 10:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1200548) was mentioned in
https://build.opensuse.org/request/show/982746 Factory / python-jupyter-server
Comment 3 Benjamin Greiner 2022-06-20 16:38:45 UTC
it's in Factory