Jupyter Server Authentication Cookie Persistence Vulnerability After Password Reset

A vulnerability in Jupyter Server in versions through 2.17.0 allows authentication cookies to remain valid indefinitely, even after a password reset. The secret used to sign these cookies is stored in a static file and is not rotated when a user changes their password. As a result, an attacker who captures a session cookie can maintain full authenticated access to the server, regardless of subsequent password changes. This issue primarily affects deployments using password-based authentication, especially on shared or public-facing servers where credential rotation is expected to revoke existing sessions.

Impact

This vulnerability allows for unauthorized access to Jupyter Server by maintaining valid authentication cookies even after a password change, potentially leading to unauthorized actions or access to sensitive information on the server.

Reproduction

To reproduce this vulnerability, start a Jupyter server with password authentication. After logging in and capturing the authentication cookie, change the password to revoke access. Upon restarting the server, the old stolen cookie will still be valid, providing full authenticated access.

Remediation

Users can upgrade to Jupyter Server version 2.18.0 or later, or manually remove the cookie secret file and restart the server.