PT-2021-11960 · Unknown · Jupyterhub

Jhespeter

Published

2021-01-13

Updated

2024-03-06

CVE-2020-36191

CVSS v4.0

6.7

Medium

Vector

AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: JupyterHub version 1.1.0

Description: The issue allows for CSRF in the admin panel via a request that lacks an xsrf field. This can be demonstrated by a "/hub/api/user" request, which can be used to add or remove a user account.

Recommendations: For JupyterHub version 1.1.0, consider disabling the /hub/api/user endpoint until a patch is available to prevent exploitation. As a temporary workaround, ensure that all requests to the admin panel include a valid xsrf field to mitigate the risk of CSRF attacks.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

BIT-JUPYTERHUB-2020-36191

CVE-2020-36191

GHSA-7XX3-QP5W-FW96

PYSEC-2021-67

Affected Products

Jupyterhub

PT-2021-11960 · Unknown · Jupyterhub

CVE-2020-36191

Weakness Enumeration

Related Identifiers

Affected Products

References · 17