AVID-2026-R0999

Description

Sensitive Auth & Cookie data stored in Jupyter server logs (CVE-2022-24757)

Details

The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications. Prior to version 1.15.4, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter Server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter Server version 1.15.4 contains a patch for this issue. There are currently no known workarounds.

Reason for inclusion in AVID: CVE-2022-24757 describes a software vulnerability in Jupyter Server where sensitive authentication data could be written to server logs, enabling leakage of cookies. This is a software issue affecting a component (Jupyter Server) commonly used in AI development and deployment pipelines (not hardware/firmware). It directly impacts the security of AI workflows by potentially exposing credentials. The report provides CVE details, affected version range, and a patch, satisfying AVID evidence requirements. This vulnerability sits in the software supply chain (dependencies/runtimes used in AI systems).

References

• NVD entry
• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-p737-p57g-4cpr
• https://github.com/jupyter-server/jupyter_server/commit/a5683aca0b0e412672ac6218d09f74d44ca0de5a

Affected or Relevant Artifacts

• Developer: jupyter-server
• Deployer: jupyter-server
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-03-23
• Version: 0.3.3
• AVID Entry