Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Access Control in jupyterhub-firstuseauthenticator
Vulnerability Description
FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
访问控制不恰当
Vulnerability Title
JupyterHub 安全漏洞
Vulnerability Description
JupyterHub是JupyterHub开源的一款用于Jupyter的多用户服务器。 JupyterHub 1.0.0之前版本存在安全漏洞,该漏洞源于当JupyterHub与FirstUseAuthenticator一起使用时,允许未经授权访问任何用户的帐户。
CVSS Information
N/A
Vulnerability Type
N/A