Description

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue.

INFO

Published Date :

2024-08-08T14:36:44.498Z

Last Modified :

2024-08-08T15:17:06.179Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-41942 vulnerability.

Vendors Products
Jupyter
  • Jupyterhub
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-41942.

URL Resource
https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428 cve-icon cve-icon
https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba cve-icon cve-icon
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact