Source: jupyter-notebook X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for jupyter-notebook. CVE-2022-29238[0]: | Jupyter Notebook is a web-based notebook environment for interactive | computing. Prior to version 6.4.12, authenticated requests to the | notebook server with `ContentsManager.allow_hidden = False` only | prevented listing the contents of hidden directories, not accessing | individual hidden files or files in hidden directories (i.e. hidden | files were 'hidden' but not 'inaccessible'). This could lead to | notebook configurations allowing authenticated access to files that | may reasonably be expected to be disallowed. Because fully | authenticated requests are required, this is of relatively low impact. | But if a server's root directory contains sensitive files whose only | protection from the server is being hidden (e.g. `~/.ssh` while | serving $HOME), then any authenticated requests could access files if | their names are guessable. Such contexts also necessarily have full | access to the server and therefore execution permissions, which also | generally grants access to all the same files. So this does not | generally result in any privilege escalation or increase in | information access, only an additional, unintended means by which the | files could be accessed. Version 6.4.12 contains a patch for this | issue. There are currently no known workarounds. https://github.com/jupyter/notebook/security/advisories/GHSA-v7vq-3x77-87vg If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-29238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29238 Please adjust the affected versions in the BTS as needed.
