Georgejhunt

**Name of the Vulnerable Software and Affected Versions** jupyterhub-firstuseauthenticator versions prior to 1.0.0 **Description** The vulnerability in jupyterhub-firstuseauthenticator allows unauthorized access to any user's account if `create users=True` and the username is known or guessed. This issue affects versions prior to 1.0.0. To mitigate the vulnerability, one can upgrade to version 1.0.0 or apply a patch manually. For those who cannot upgrade, a partial mitigation exists by disabling user creation with `c.FirstUseAuthenticator.create users = False`, which will only allow login with fully normalized usernames for already existing users. However, users who have never logged in with their normalized username will still be vulnerable until a patch or upgrade occurs. **Recommendations** For versions prior to 1.0.0, upgrade to version 1.0.0 to resolve the issue. As a temporary workaround for those who cannot upgrade, disable user creation with `c.FirstUseAuthenticator.create users = False` to minimize the risk of exploitation.