CVE-2024-28233 – jupyterhub

Package

Manager: pip
Name: jupyterhub
Vulnerable Version: >=0 <4.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00135 pctl0.34023

Details

Cross site scripting (XSS) in JupyterHub via Self-XSS leveraged by Cookie Tossing ### Impact Affected configurations: - Single-origin JupyterHub deployments - JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve the following: - Full access to JupyterHub API and user's single-user server, e.g. - Create and exfiltrate an API Token - Exfiltrate all files hosted on the user's single-user server: notebooks, images, etc. - Install malicious extensions. They can be used as a backdoor to silently regain access to victim's session anytime. ### Patches To prevent cookie-tossing: - Upgrade to JupyterHub 4.1 (both hub and user environment) - enable per-user domains via `c.JupyterHub.subdomain_host = "https://mydomain.example.org"` - set `c.JupyterHub.cookie_host_prefix_enabled = True` to enable domain-locked cookies or, if available (applies to earlier JupyterHub versions): - deploy jupyterhub on its own domain, not shared with any other services - enable per-user domains via `c.JupyterHub.subdomain_host = "https://mydomain.example.org"`

Metadata

Created: 2024-03-28T17:08:10Z
Modified: 2024-03-28T17:08:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7r3h-4ph8-w38g/GHSA-7r3h-4ph8-w38g.json
CWE IDs: ["CWE-352", "CWE-565", "CWE-79"]
Alternative ID: GHSA-7r3h-4ph8-w38g
Finding: F008
Auto approve: 1