CVE-2024-41942

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users.
In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
VendorProductVersion
jupyterjupyterhub
𝑥
< 4.1.6
jupyterjupyterhub
5.0.0
jupyterjupyterhub
5.0.0:beta1
jupyterjupyterhub
5.0.0:beta2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jupyterhub
bookworm
no-dsa
trixie
5.2.1+ds1-2
fixed
sid
5.2.1+ds1-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jupyterhub
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
jammy
needs-triage
focal
dne
Common Weakness Enumeration
References
https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428
https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f