#VU103634 Improper privilege management in jupyterhub - CVE-2024-41942

Cybersecurity Help s.r.o.

Published: 2025-02-05

Vulnerability identifier: #VU103634

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-41942

CWE-ID: CWE-269

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jupyterhub
Other software / Other software solutions

Vendor: jupyterhub

Description

The vulnerability allows a remote privileged user to escalate privileges.

The vulnerability exists due to `admin:users` is equivalent to `admin=True`, which is not intended. A remote privileged user can escalate their own privileges by making themselves a full admin user

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jupyterhub: before 4.1.6

External links
https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f
https://github.com/jupyterhub/jupyterhub/commit/99e2720b0fc626cbeeca3c6337f917fdacfaa428
https://github.com/jupyterhub/jupyterhub/commit/ff2db557a85b6980f90c3158634bf924063ab8ba

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cognos Analytics

Improper privilege management in jupyterhub jupyterhub