CVE-2021-41194

Name of the Vulnerable Software and Affected Versions jupyterhub-firstuseauthenticator versions prior to 1.0.0

Description The vulnerability in jupyterhub-firstuseauthenticator allows unauthorized access to any user's account if create users=True and the username is known or guessed. This issue affects versions prior to 1.0.0. To mitigate the vulnerability, one can upgrade to version 1.0.0 or apply a patch manually. For those who cannot upgrade, a partial mitigation exists by disabling user creation with c.FirstUseAuthenticator.create users = False, which will only allow login with fully normalized usernames for already existing users. However, users who have never logged in with their normalized username will still be vulnerable until a patch or upgrade occurs.

Recommendations For versions prior to 1.0.0, upgrade to version 1.0.0 to resolve the issue. As a temporary workaround for those who cannot upgrade, disable user creation with c.FirstUseAuthenticator.create users = False to minimize the risk of exploitation.