CVE-2024-41942 – jupyterhub

Package

Manager: pip
Name: jupyterhub
Vulnerable Version: >=0 <4.1.6 || >=5.0.0 <5.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00191 pctl0.41169

Details

JupyterHub has a privilege escalation vulnerability with the `admin:users` scope ### Summary If a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. ### Details The `admin:users` scope allows a user to edit user records: > admin:users > > Read, write, create and delete users and their authentication state, not including their servers or tokens. > > -- https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes However, this includes making users admins. Admin users are granted scopes beyond `admin:users` making this a mechanism by which granted scopes may be escalated. ### Impact The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional.

Metadata

Created: 2024-08-08T14:37:06Z
Modified: 2025-01-21T17:56:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-9x4q-3gxw-849f/GHSA-9x4q-3gxw-849f.json
CWE IDs: ["CWE-274"]
Alternative ID: GHSA-9x4q-3gxw-849f
Finding: F159
Auto approve: 1