GHSA-9x4q-3gxw-849f
Vulnerability from github
Published
2024-08-08 14:37
Modified
2025-01-21 17:56
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
JupyterHub has a privilege escalation vulnerability with the `admin:users` scope
Details

Summary

If a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user.

Details

The admin:users scope allows a user to edit user records:

admin:users

Read, write, create and delete users and their authentication state, not including their servers or tokens.

-- https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes

However, this includes making users admins. Admin users are granted scopes beyond admin:users making this a mechanism by which granted scopes may be escalated.

Impact

The impact is relatively small in that admin:users is already an extremely privileged scope only granted to trusted users. In effect, admin:users is equivalent to admin=True, which is not intended.

Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. groups permissions from granting themselves or other users permissions via group membership, which is intentional.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterhub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterhub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-274"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-08T14:37:06Z",
    "nvd_published_at": "2024-08-08T15:15:17Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nIf a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user.\n\n### Details\n\nThe `admin:users` scope allows a user to edit user records:\n\n\u003e admin:users\n\u003e\n\u003e Read, write, create and delete users and their authentication state, not including their servers or tokens.\n\u003e\n\u003e -- https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes\n\nHowever, this includes making users admins. Admin users are granted scopes beyond `admin:users` making this a mechanism by which granted scopes may be escalated.\n\n### Impact\n\nThe impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users.\nIn effect, `admin:users` is equivalent to `admin=True`, which is not intended.\n\nNote that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional.",
  "id": "GHSA-9x4q-3gxw-849f",
  "modified": "2025-01-21T17:56:40Z",
  "published": "2024-08-08T14:37:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41942"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterhub/jupyterhub"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2024-200.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "JupyterHub has a privilege escalation vulnerability with the `admin:users` scope"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.