QwikSec

Security Database

CVE

CWE

Training

CVE-2020-26261

Published: Dec 9, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

7.9

HIGH

Description

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15

Vendor	Product	Versions
jupyterhub	systemdspawner	affected `< 0.15`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6

x_refsource_CONFIRM

https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580

x_refsource_MISC

https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015

x_refsource_MISC

https://pypi.org/project/jupyterhub-systemdspawner/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.