logo

Database

Improper authorization control for web services In jupyterhub-firstuseauthenticator

Description

Improper Access Control in jupyterhub-firstuseauthenticator

Impact

When JupyterHub is used with FirstUseAuthenticator, the vulnerability allows unauthorized access to any user's account if create_users=True and the username is known or guessed.

Patches

Upgrade to jupyterhub-firstuseauthenticator to 1.0, or apply patch https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch

Workarounds

If you cannot upgrade, there is no complete workaround, but it can be mitigated.

If you cannot upgrade yet, you can disable user creation with c.FirstUseAuthenticator.create_users = False, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until you can patch or upgrade.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-411942. NVD-2021-411943. OSV-2021-411944. GHSA-5xvc-vgmp-jgc35. GCVE-2021-41194

References

1. https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc32. https://github.com/jupyterhub/firstuseauthenticator/pull/383. https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch4. https://github.com/jupyterhub/firstuseauthenticator/pull/38/commits/32b21898fb2b53b1a2e36270de6854ad70e9e9bf5. https://github.com/jupyterhub/firstuseauthenticator/pull/38/commits/9e200d974e0cb85d828a6afedb8ab90a37878f286. https://github.com/jupyterhub/firstuseauthenticator/commit/953418e2450dbc2d854e332350849533b0ebc7ba7. https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub-firstuseauthenticator/PYSEC-2021-384.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-09QL7 – Vulnerability | Fluid Attacks Database