tlkh/serverless-transformers

CVE-2022-24758 (High) detected in notebook-5.7.10-py2.py3-none-any.whl

Opened this issue · 0 comments

mend-bolt-for-github commented

CVE-2022-24758 - High Severity Vulnerability

Vulnerable Library - notebook-5.7.10-py2.py3-none-any.whl

A web-based notebook environment for interactive computing

Library home page: https://files.pythonhosted.org/packages/7a/fb/6b1735e8ff43f68e867928526134cd6ba22554d596862a7fe71092ba8fc8/notebook-5.7.10-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/backend/requirements.txt

Dependency Hierarchy:

  • streamlit-0.55.2-py2.py3-none-any.whl (Root Library)
    • pydeck-0.5.0-py2.py3-none-any.whl
      • ipywidgets-7.5.1-py2.py3-none-any.whl
        • widgetsnbextension-3.5.1-py2.py3-none-any.whl
          • notebook-5.7.10-py2.py3-none-any.whl (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The Jupyter notebook is a web-based notebook environment for interactive computing. Prior to version 6.4.9, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter notebook version 6.4.x contains a patch for this issue. There are currently no known workarounds.

Publish Date: 2022-03-31

URL: CVE-2022-24758

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m87f-39q9-6f55

Release Date: 2022-03-31

Fix Resolution (notebook): 5.7.14

Direct dependency fix Resolution (streamlit): 0.56.0

Step up your Open Source Security Game with Mend here