GHSA-7r3h-4ph8-w38g

Source
https://github.com/advisories/GHSA-7r3h-4ph8-w38g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7r3h-4ph8-w38g/GHSA-7r3h-4ph8-w38g.json
Aliases
Published
2024-03-28T17:08:10Z
Modified
2024-04-03T11:41:34.554891Z
Details

Impact

Affected configurations:

  • Single-origin JupyterHub deployments
  • JupyterHub deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server.

By tricking a user into visiting a malicious subdomain, the attacker can achieve an XSS directly affecting the former's session. More precisely, in the context of JupyterHub, this XSS could achieve the following:

  • Full access to JupyterHub API and user's single-user server, e.g.
    • Create and exfiltrate an API Token
    • Exfiltrate all files hosted on the user's single-user server: notebooks, images, etc.
    • Install malicious extensions. They can be used as a backdoor to silently regain access to victim's session anytime.

Patches

To prevent cookie-tossing:

  • Upgrade to JupyterHub 4.1 (both hub and user environment)
  • enable per-user domains via c.JupyterHub.subdomain_host = "https://mydomain.example.org"
  • set c.JupyterHub.cookie_host_prefix_enabled = True to enable domain-locked cookies

or, if available (applies to earlier JupyterHub versions):

  • deploy jupyterhub on its own domain, not shared with any other services
  • enable per-user domains via c.JupyterHub.subdomain_host = "https://mydomain.example.org"
References

Affected packages

PyPI / jupyterhub

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
4.1.0

Affected versions

0.*

0.1.0
0.2.0
0.3.0
0.4.0
0.4.1
0.5.0
0.6.0
0.6.1
0.7.0b1
0.7.0
0.7.1
0.7.2
0.8.0b1
0.8.0b2
0.8.0b3
0.8.0b4
0.8.0b5
0.8.0rc1
0.8.0rc2
0.8.0
0.8.1
0.9.0b1
0.9.0b2
0.9.0b3
0.9.0rc1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6

1.*

1.0.0b1
1.0.0b2
1.0.0
1.1.0b1
1.1.0
1.2.0b1
1.2.0
1.2.1
1.2.2
1.3.0
1.4.0
1.4.1
1.4.2
1.5.0
1.5.1

2.*

2.0.0b1
2.0.0b2
2.0.0b3
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1

3.*

3.0.0b1
3.0.0
3.1.0
3.1.1

4.*

4.0.0b1
4.0.0b2
4.0.0
4.0.1
4.0.2