4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29238

GHSA ID

GHSA-v7vq-3x77-87vg

EPSS Score

0.47672%

CWE

CWE-425

Published

6/16/2022

Updated

1/27/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29238

CVE-2022-29238: Token bruteforcing.

Impact

What kind of vulnerability is it? Who is impacted?

Authenticated requests to the notebook server with ContentsManager.allow_hidden = False only prevented listing the contents of hidden directories, not accessing individual hidden files or files in hidden directories (i.e. hidden files were 'hidden' but not 'inaccessible'). This could lead to notebook configurations allowing authenticated access to files that may reasonably be expected to be disallowed.

Because fully authenticated requests are required, this is of relatively low impact. But if a server's root directory contains sensitive files whose only protection from the server is being hidden (e.g. ~/.ssh while serving $HOME), then any authenticated requests could access files if their names are guessable. Such contexts also necessarily have full access to the server and therefore execution permissions, which also generally grants access to all the same files. So this does not generally result in any privilege escalation or increase in information access, only an additional, unintended means by which the files could be accessed.

Patches

Has the problem been patched? What versions should users upgrade to?

notebook 6.4.12

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run the notebook server in a directory with hidden files, use subdirectories
Use a custom ContentsManager with additional checks for self.is_hidden(path) prior to completing actions

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in example link to repo
Email us at example email address

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-29238

GHSA ID

GHSA-v7vq-3x77-87vg

EPSS Score

0.47672%

CWE

CWE-425

Published

6/16/2022

Updated

1/27/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
notebook	pip	< 6.4.12	6.4.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing hidden file checks in file access methods despite allow_hidden=False. The workaround guidance explicitly mentions adding self.is_hidden(path) checks in ContentsManager methods, indicating these functions lacked proper authorization checks. The get() method handles file retrieval while _get_os_path() handles path resolution - both critical points where hidden file validation should occur. The high confidence comes from the advisory's direct implication of missing is_hidden checks in file access flows.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ *ut**nti**t** r*qu*sts to t** not**ook s*rv*r wit* `*ont*ntsM*n***r.*llow_*i***n = **ls*` only pr*v*nt** listin* t** *ont*nts o* *i***n *ir**tori*s, not ****ssin* in*ivi*u*l *i***n *il*

Reasoning

T** vuln*r**ility st*ms *rom missin* *i***n *il* ****ks in *il* ****ss m*t*o*s **spit* *llow_*i***n=**ls*. T** work*roun* *ui**n** *xpli*itly m*ntions ***in* s*l*.is_*i***n(p*t*) ****ks in *ont*ntsM*n***r m*t*o*s, in*i**tin* t**s* *un*tions l**k** pr

4.3

Basic Information

Concerned about an active attack path?

CVE-2022-29238: Token bruteforcing.

Impact

Patches

Workarounds

References

For more information

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI