GHSA-9x4q-3gxw-849f

Source

https://github.com/advisories/GHSA-9x4q-3gxw-849f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-9x4q-3gxw-849f/GHSA-9x4q-3gxw-849f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9x4q-3gxw-849f

Aliases

Related

CGA-96rm-6ffx-8wm2

Published

2024-08-08T14:37:06Z

Modified

2024-08-10T08:11:46.924213Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

JupyterHub has a privilege escalation vulnerability with the `admin:users` scope

Details

Summary

If a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user.

Details

The admin:users scope allows a user to edit user records:

admin:users

Read, write, create and delete users and their authentication state, not including their servers or tokens.

-- https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes

However, this includes making users admins. Admin users are granted scopes beyond admin:users making this a mechanism by which granted scopes may be escalated.

Impact

The impact is relatively small in that admin:users is already an extremely privileged scope only granted to trusted users. In effect, admin:users is equivalent to admin=True, which is not intended.

Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. groups permissions from granting themselves or other users permissions via group membership, which is intentional.

Database specific

{
    "nvd_published_at": "2024-08-08T15:15:17Z",
    "cwe_ids": [
        "CWE-274"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-08T14:37:06Z"
}

References

Affected packages

PyPI / jupyterhub

Package

Name: jupyterhub; View open source insights on deps.dev
Purl: pkg:pypi/jupyterhub

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.1.6

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.4.1

0.5.0

0.6.0

0.6.1

0.7.0b1

0.7.0

0.7.1

0.7.2

0.8.0b1

0.8.0b2

0.8.0b3

0.8.0b4

0.8.0b5

0.8.0rc1

0.8.0rc2

0.8.0

0.8.1

0.9.0b1

0.9.0b2

0.9.0b3

0.9.0rc1

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

1.*

1.0.0b1

1.0.0b2

1.0.0

1.1.0b1

1.1.0

1.2.0b1

1.2.0

1.2.1

1.2.2

1.3.0

1.4.0

1.4.1

1.4.2

1.5.0

1.5.1

2.*

2.0.0b1

2.0.0b2

2.0.0b3

2.0.0rc1

2.0.0rc2

2.0.0rc3

2.0.0rc4

2.0.0rc5

2.0.0

2.0.1

2.0.2

2.1.0

2.1.1

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

3.*

3.0.0b1

3.0.0

3.1.0

3.1.1

4.*

4.0.0b1

4.0.0b2

4.0.0

4.0.1

4.0.2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

PyPI / jupyterhub

Package

Name: jupyterhub; View open source insights on deps.dev
Purl: pkg:pypi/jupyterhub

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.1.0

Affected versions

5.*

5.0.0