{"api_version":"1","generated_at":"2026-04-27T01:27:28+00:00","cve":"CVE-2020-15110","urls":{"html":"https://cve.report/CVE-2020-15110","api":"https://cve.report/api/cve/CVE-2020-15110.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-15110","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-15110"},"summary":{"title":"CVE-2020-15110","description":"In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2020-07-17 21:15:00","updated_at":"2021-11-18 18:23:00"},"problem_types":["CWE-863"],"metrics":[],"references":[{"url":"https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8eff4bb1d0","name":"https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8eff4bb1d0","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"move delimiter to pvc/pod name templates · jupyterhub/kubespawner@3dfe870 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gr","name":"https://github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gr","refsource":"CONFIRM","tags":["Exploit","Third Party Advisory"],"title":"Possible pod name collisions · Advisory · jupyterhub/kubespawner · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-15110","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15110","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"15110","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jupyterhub","cpe5":"kubespawner","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"15110","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"jupyterhub","cpe5":"kubespawner","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-15110","qid":"980040","title":"Python (pip) Security Update for jupyterhub-kubespawner (GHSA-v7m9-9497-p9gr)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security-advisories@github.com","ID":"CVE-2020-15110","STATE":"PUBLIC","TITLE":"Possible pod name collisions in jupyterhub-kubespawner"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"kubespawner","version":{"version_data":[{"version_value":"< 0.12"}]}}]},"vendor_name":"jupyterhub"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12."}]},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.8,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-863: Incorrect Authorization"}]}]},"references":{"reference_data":[{"name":"https://github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gr","refsource":"CONFIRM","url":"https://github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gr"},{"name":"https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8eff4bb1d0","refsource":"CONFIRM","url":"https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8eff4bb1d0"}]},"source":{"advisory":"GHSA-v7m9-9497-p9gr","discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2020-07-17 21:15:00","lastModifiedDate":"2021-11-18 18:23:00","problem_types":["CWE-863"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:jupyterhub:kubespawner:*:*:*:*:*:*:*:*","versionEndExcluding":"0.12","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"15110","Ordinal":"176489","Title":"CVE-2020-15110","CVE":"CVE-2020-15110","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"15110","Ordinal":"1","NoteData":"In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"15110","Ordinal":"2","NoteData":"2020-07-17","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"15110","Ordinal":"3","NoteData":"2020-07-17","Type":"Other","Title":"Modified"}]}}}