CVE-2024-28233

Name of the Vulnerable Software and Affected Versions JupyterHub versions prior to 4.1.0

Description The issue allows an attacker to achieve an XSS directly affecting a user's session by tricking them into visiting a malicious subdomain. This could lead to full access to the JupyterHub API and the user's single-user server. The affected configurations include single-origin JupyterHub deployments and deployments with user-controlled applications running on subdomains or peer subdomains of either the Hub or a single-user server. An attacker could create and exfiltrate an API token, exfiltrate files hosted on the user's single-user server, or install malicious extensions.

Recommendations For versions prior to 4.1.0, upgrade to JupyterHub 4.1.0, enable per-user domains via c.JupyterHub.subdomain host, and set c.JupyterHub.cookie host prefix enabled to True to enable domain-locked cookies. Alternatively, deploy JupyterHub on its own domain and enable per-user domains via c.JupyterHub.subdomain host.