CVE-2021-41194
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-41194
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41194.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-41194
- Aliases
- Related
- Published
- 2021-10-28T20:15:07Z
- Modified
- 2025-01-14T09:52:23.242718Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if
create_users=Trueand the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation withc.FirstUseAuthenticator.create_users = False, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs. - References