Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05eDRxLTNneHctODQ5Zs4AA-f8
JupyterHub has a privilege escalation vulnerability with the `admin:users` scope
Summary
If a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user.
Details
The admin:users scope allows a user to edit user records:
admin:users
Read, write, create and delete users and their authentication state, not including their servers or tokens.
-- https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes
However, this includes making users admins. Admin users are granted scopes beyond admin:users making this a mechanism by which granted scopes may be escalated.
Impact
The impact is relatively small in that admin:users is already an extremely privileged scope only granted to trusted users.
In effect, admin:users is equivalent to admin=True, which is not intended.
Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. groups permissions from granting themselves or other users permissions via group membership, which is intentional.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05eDRxLTNneHctODQ5Zs4AA-f8
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-9x4q-3gxw-849f, CVE-2024-41942
References:
- https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f
- https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428
- https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba
- https://nvd.nist.gov/vuln/detail/CVE-2024-41942
- https://github.com/advisories/GHSA-9x4q-3gxw-849f
Blast Radius: 20.9
Affected Packages
pypi:jupyterhub
Dependent packages: 54Dependent repositories: 799
Downloads: 332,154 last month
Affected Version Ranges: >= 5.0.0, < 5.1.0, < 4.1.6
Fixed in: 5.1.0, 4.1.6
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 3.0.0, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 5.0.0
All unaffected versions: 4.1.6, 5.1.0, 5.2.0, 5.2.1