CVE-2024-41942 — Improper Handling of Insufficient Privileges in Jupyterhub

CWE-274 — Improper Handling of Insufficient Privileges8 documents6 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 67.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jupyterhub Jupyter Jupyterhub

Timeline

PublishedAug 8

Description

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents esca…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶NVDjupyter/jupyterhub< 4.1.6+1

▶CVEListV5jupyterhub/jupyterhub< 4.1.6+1

▶PyPIjupyterhub/jupyterhub5.0.0 — 5.1.0+3

▶Debianjupyterhub/jupyterhub< 5.2.1+ds1-1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

JupyterHub has a privilege escalation vulnerability with the `admin:users` scope↗2024-08-08

▶

OSV

JupyterHub has a privilege escalation vulnerability with the `admin:users` scope↗2024-08-08

▶

OSV

CVE-2024-41942: JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks↗2024-08-08

▶

CVEList

JupyterHub has a privilege escalation vulnerability with the `admin:users` scope↗2024-08-08

▶

OSV

CVE-2024-41942: JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks↗2024-08-08

▶

📋Vendor Advisories

Debian

CVE-2024-41942: jupyterhub - JupyterHub is software that allows one to create a multi-user server for Jupyter...↗2024

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33709 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶