CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
28.5%
If a user is granted the admin:users
scope, they may escalate their own privileges by making themselves a full admin user.
The admin:users
scope allows a user to edit user records:
> admin:users
>
> Read, write, create and delete users and their authentication state, not including their servers or tokens.
>
> – https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes
However, this includes making users admins. Admin users are granted scopes beyond admin:users
making this a mechanism by which granted scopes may be escalated.
The impact is relatively small in that admin:users
is already an extremely privileged scope only granted to trusted users.
In effect, admin:users
is equivalent to admin=True
, which is not intended.
Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. groups
permissions from granting themselves or other users permissions via group membership, which is intentional.
Vendor | Product | Version | CPE |
---|---|---|---|
jupyterhub | jupyterhub | * | cpe:2.3:a:jupyterhub:jupyterhub:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-9x4q-3gxw-849f
github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428
github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba
github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f
nvd.nist.gov/vuln/detail/CVE-2024-41942
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
28.5%