FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.
References
Link | Resource |
---|---|
https://github.com/jupyterhub/firstuseauthenticator/pull/38 | Patch Third Party Advisory |
https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch | Patch Third Party Advisory |
https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2021-10-28T19:40:12
Updated: 2021-10-28T19:40:11
Reserved: 2021-09-15T00:00:00
Link: CVE-2021-41194
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-10-28T20:15:07.680
Modified: 2021-11-03T12:26:50.987
Link: CVE-2021-41194
JSON object: View
Redhat Information
No data.