CVE-2020-26261

Name of the Vulnerable Software and Affected Versions jupyterhub-systemdspawner versions prior to 0.15

Description jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner, user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default.

Recommendations For versions prior to 0.15, upgrade jupyterhub-systemdspawner to version 0.15 to resolve the issue. As a temporary workaround, consider restricting access to the environment of systemd units until a patch is available. No other workarounds are available other than upgrading systemdspawner to 0.15.