JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users.
In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue.
References
Configurations
Configuration 1 (hide)
|
History
12 Aug 2024, 15:53
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-noinfo | |
First Time |
Jupyter jupyterhub
Jupyter |
|
References | () https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428 - Patch | |
References | () https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba - Patch | |
References | () https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f - Third Party Advisory | |
Summary |
|
|
CPE | cpe:2.3:a:jupyter:jupyterhub:*:*:*:*:*:*:*:* cpe:2.3:a:jupyter:jupyterhub:5.0.0:beta2:*:*:*:*:*:* cpe:2.3:a:jupyter:jupyterhub:5.0.0:beta1:*:*:*:*:*:* cpe:2.3:a:jupyter:jupyterhub:5.0.0:-:*:*:*:*:*:* |
08 Aug 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-08 15:15
Updated : 2024-08-12 15:53
NVD link : CVE-2024-41942
Mitre link : CVE-2024-41942
CVE.ORG link : CVE-2024-41942
JSON object : View
Products Affected
jupyter
- jupyterhub
CWE