CVE-2024-41942

Name of the Vulnerable Software and Affected Versions JupyterHub versions prior to 4.1.6 and 5.1.0

Description The issue allows a user granted the admin:users scope to escalate their own privileges by making themselves a full admin user. This scope is already extremely privileged and only granted to trusted users. In effect, admin:users is equivalent to admin=True, which is not intended. The impact is relatively small, and the change only prevents escalation to the built-in JupyterHub admin role with unrestricted permissions. It does not prevent users with groups permissions from granting themselves or other users permissions via group membership, which is intentional.

Recommendations To resolve the issue, update to version 4.1.6 or 5.1.0, as these versions fix the issue. As a temporary workaround, consider restricting the use of the admin:users scope to minimize the risk of exploitation. Restrict access to the admin=True equivalent permissions to prevent unintended privilege escalation.