JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).
References
Link | Resource |
---|---|
https://github.com/jupyterhub/jupyterhub/issues/3304 | Exploit Third Party Advisory |
https://github.com/jupyterhub/jupyterhub/releases | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-01-13T03:36:09
Updated: 2021-01-13T03:36:09
Reserved: 2021-01-13T00:00:00
Link: CVE-2020-36191
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-01-13T04:15:13.073
Modified: 2021-01-19T19:58:18.743
Link: CVE-2020-36191
JSON object: View
Redhat Information
No data.
CWE