AVID-2026-R1000

Description

Insertion of Sensitive Information into Log File affects Jupyter Notebook (CVE-2022-24758)

Details

The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.

Reason for inclusion in AVID: CVE-2022-24758 describes a vulnerability in Jupyter Notebook server where 5xx errors cause sensitive information (auth cookies and headers) to be logged, enabling unauthorized access via log files. This is a software vulnerability affecting a widely-used AI tooling component, impacting the software supply chain for AI systems (development/deployment environments rely on Jupyter). The CVE provides clear evidence (affected versions, patch details, advisory) and indicates high risk, with no known workarounds and a patch available in 6.4.x. Therefore it should be kept for AVID curation as a software-supply-chain-relevant vulnerability in AI stacks.

References

• NVD entry
• https://github.com/jupyter/notebook/security/advisories/GHSA-m87f-39q9-6f55

Affected or Relevant Artifacts

• Developer: jupyter
• Deployer: jupyter
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-03-31
• Version: 0.3.3
• AVID Entry