QID 980217
QID 980217: Python (pip) Security Update for jupyterhub-firstuseauthenticator (GHSA-5xvc-vgmp-jgc3)
Security update has been released for jupyterhub-firstuseauthenticator to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
When JupyterHub is used with FirstUseAuthenticator, the vulnerability allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed.
Solution
Upgrade to jupyterhub-firstuseauthenticator to 1.0, or apply patch https://github.com/jupyterhub/firstuseauthenticator/pull/38.patchWorkaround:
If you cannot upgrade, there is no complete workaround, but it can be mitigated.
If you cannot upgrade yet, you can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until you can patch or upgrade.
If you cannot upgrade, there is no complete workaround, but it can be mitigated.
If you cannot upgrade yet, you can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until you can patch or upgrade.
Vendor References
- GHSA-5xvc-vgmp-jgc3 -
github.com/advisories/GHSA-5xvc-vgmp-jgc3
CVEs related to QID 980217
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-5xvc-vgmp-jgc3 | jupyterhub-firstuseauthenticator |
github.com/advisories/GHSA-5xvc-vgmp-jgc3 |