Improper Access Control in jupyterhub-firstuseauthenticator
Critical severity
GitHub Reviewed
Published
Oct 28, 2021
in
jupyterhub/firstuseauthenticator
•
Updated Sep 24, 2024
Description
Reviewed
Oct 28, 2021
Published by the National Vulnerability Database
Oct 28, 2021
Published to the GitHub Advisory Database
Oct 28, 2021
Last updated
Sep 24, 2024
Impact
When JupyterHub is used with FirstUseAuthenticator, the vulnerability allows unauthorized access to any user's account if
create_users=True
and the username is known or guessed.Patches
Upgrade to jupyterhub-firstuseauthenticator to 1.0, or apply patch https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch
Workarounds
If you cannot upgrade, there is no complete workaround, but it can be mitigated.
If you cannot upgrade yet, you can disable user creation with
c.FirstUseAuthenticator.create_users = False
, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until you can patch or upgrade.References