CVE-2021-41247 — Insufficient Session Expiration in Jupyterhub

CWE-613 — Insufficient Session Expiration8 documents7 sources

Severity

7.5HIGHNVD

CNA3.5

EPSS

0.2%

top 56.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jupyterhub Jupyter Jupyterhub

Timeline

PublishedNov 4

Latest updateJun 30

Description

JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs pa…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDjupyter/jupyterhub1.0.0 — 1.5.0

▶CVEListV5jupyterhub/jupyterhub< 1.2.0 - jupyterhub (helm)+1

▶PyPIjupyterhub/jupyterhub1.0.0 — 1.5.0

▶Debianjupyterhub/jupyterhub< 2.0.0+ds1-1+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

incomplete JupyterHub logout with simultaneous JupyterLab sessions↗2021-11-08

▶

OSV

incomplete JupyterHub logout with simultaneous JupyterLab sessions↗2021-11-08

▶

CVEList

incomplete logout in JupyterHub↗2021-11-04

▶

OSV

CVE-2021-41247: JupyterHub is an open source multi-user server for Jupyter notebooks↗2021-11-04

▶

📋Vendor Advisories

Debian

CVE-2021-41247: jupyterhub - JupyterHub is an open source multi-user server for Jupyter notebooks. In affecte...↗2021

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33709 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

📄Research Papers

arXiv

Threat Assessment in Machine Learning based Systems↗2022-06-30

▶