CVE-2020-36191 — Cross-Site Request Forgery in Jupyterhub

CWE-352 — Cross-Site Request Forgery8 documents7 sources

Severity

4.5MEDIUMNVD

EPSS

0.1%

top 68.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jupyterhub Jupyter Jupyterhub

Timeline

PublishedJan 13

Latest updateJun 30

Description

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages3 packages

▶PyPIjupyterhub/jupyterhub< 1.2.0b1

▶Debianjupyterhub/jupyterhub< 3.0.0+ds1-1+2

▶NVDjupyter/jupyterhub1.1.0

🔴Vulnerability Details

OSV

Cross-Site Request Forgery in JupyterHub↗2022-05-24

▶

GHSA

Cross-Site Request Forgery in JupyterHub↗2022-05-24

▶

CVEList

CVE-2020-36191: JupyterHub 1↗2021-01-13

▶

OSV

CVE-2020-36191: JupyterHub 1↗2021-01-13

▶

📋Vendor Advisories

Debian

CVE-2020-36191: jupyterhub - JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsr...↗2020

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33709 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

📄Research Papers

arXiv

Threat Assessment in Machine Learning based Systems↗2022-06-30

▶