Fluid Attacks Database

Description

Cross-Site Request Forgery in JupyterHub JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	jupyterhub	>=0 <1.2.0b1	1.2.0b1
debian 12	jupyterhub	>=0 <3.0.0+ds1-1	3.0.0+ds1-1
debian 14	jupyterhub	>=0 <3.0.0+ds1-1	3.0.0+ds1-1
debian 13	jupyterhub	>=0 <3.0.0+ds1-1	3.0.0+ds1-1

Aliases

1. CVE-2020-361912. NVD-2020-361913. OSV-2020-361914. OSV-DEBIAN-2020-361915. GHSA-7xx3-qp5w-fw966. GCVE-2020-361917. SECURITY-TRACKER-CVE-2020-36191

References

1. https://github.com/jupyterhub/jupyterhub/issues/33042. https://github.com/jupyterhub/jupyterhub/releases3. https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2021-67.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.