CVE-2021-41194

Published on: 10/28/2021 12:00:00 AM UTC

Last Modified on: 11/03/2021 12:26:00 PM UTC

CVE-2021-41194 - advisory for GHSA-5xvc-vgmp-jgc3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Certain versions of First Use Authenticator from Jupyterhub contain the following vulnerability:

FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.

CVE-2021-41194 has been assigned by [email protected] to track the vulnerability - currently rated as CRITICAL severity.
Affected Vendor/Software: jupyterhub - firstuseauthenticator version < 1.0.0

CVSS3 Score: 9.8 - CRITICAL

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	HIGH	HIGH

CVSS2 Score: 6.8 - MEDIUM

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	MEDIUM	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
PARTIAL	PARTIAL	PARTIAL

CVE References

Description	Tags ^ⓘ	Link
normalize username to lock password by georgejhunt · Pull Request #38 · jupyterhub/firstuseauthenticator · GitHub	github.com text/html	MISC github.com/jupyterhub/firstuseauthenticator/pull/38
	github.com text/x-diff	MISC github.com/jupyterhub/firstuseauthenticator/pull/38.patch
Improper Access Control in jupyterhub-firstuseauthenticator · Advisory · jupyterhub/firstuseauthenticator · GitHub	github.com text/html	CONFIRM github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

980217 Python (pip) Security Update for jupyterhub-firstuseauthenticator (GHSA-5xvc-vgmp-jgc3)

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Jupyterhub	First Use Authenticator	All	All	All	All

cpe:2.3:a:jupyterhub:first_use_authenticator:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@CVEreport	CVE-2021-41194 : FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on the… twitter.com/i/web/status/1…	2021-10-28 19:46:04
@LinInfoSec	Jupyterhub - CVE-2021-41194: github.com/jupyterhub/fir…	2021-10-28 23:15:11
@0_exploit	CVE-2021-41194 dlvr.it/SBV8w5	2021-10-28 23:33:03