CVE-2021-41194
Published on: 10/28/2021 12:00:00 AM UTC
Last Modified on: 11/03/2021 12:26:00 PM UTC
Certain versions of First Use Authenticator from Jupyterhub contain the following vulnerability:
FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.
- CVE-2021-41194 has been assigned by [email protected] to track the vulnerability - currently rated as CRITICAL severity.
- Affected Vendor/Software: jupyterhub - firstuseauthenticator version < 1.0.0
CVSS3 Score: 9.8 - CRITICAL
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 6.8 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | PARTIAL | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
normalize username to lock password by georgejhunt · Pull Request #38 · jupyterhub/firstuseauthenticator · GitHub | github.com text/html | MISC github.com/jupyterhub/firstuseauthenticator/pull/38 |
github.com text/x-diff | MISC github.com/jupyterhub/firstuseauthenticator/pull/38.patch | |
Improper Access Control in jupyterhub-firstuseauthenticator · Advisory · jupyterhub/firstuseauthenticator · GitHub | github.com text/html | CONFIRM github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3 |
Related QID Numbers
- 980217 Python (pip) Security Update for jupyterhub-firstuseauthenticator (GHSA-5xvc-vgmp-jgc3)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Jupyterhub | First Use Authenticator | All | All | All | All |
- cpe:2.3:a:jupyterhub:first_use_authenticator:*:*:*:*:*:*:*:*:
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
@CVEreport | CVE-2021-41194 : FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on the… twitter.com/i/web/status/1… | 2021-10-28 19:46:04 |
@LinInfoSec | Jupyterhub - CVE-2021-41194: github.com/jupyterhub/fir… | 2021-10-28 23:15:11 |
@0_exploit | CVE-2021-41194 dlvr.it/SBV8w5 | 2021-10-28 23:33:03 |