DirectorySecurity Advisories
Sign In
Security Advisories

CGA-96rm-6ffx-8wm2

Published

Last updated

https://images.chainguard.dev/security/CGA-96rm-6ffx-8wm2
Package

py3-jupyterhub

Latest Update
Fixed
Fixed Version

5.1.0-r0

Aliases
  • CVE-2024-41942
  • GHSA-9x4q-3gxw-849f

Severity

7.2

High

CVSS V3

Summary

JupyterHub has a privilege escalation vulnerability with the admin:users scope

Description

Summary

If a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user.

Details

The admin:users scope allows a user to edit user records:

However, this includes making users admins. Admin users are granted scopes beyond admin:users making this a mechanism by which granted scopes may be escalated.

Impact

The impact is relatively small in that admin:users is already an extremely privileged scope only granted to trusted users. In effect, admin:users is equivalent to admin=True, which is not intended.

Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. groups permissions from granting themselves or other users permissions via group membership, which is intentional.

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogResearchEventsTrust CenterDocumentation