7.2
CVE-2024-41942
- EPSS 0.1%
- Veröffentlicht 08.08.2024 15:15:17
- Zuletzt bearbeitet 12.08.2024 15:53:27
- Quelle security-advisories@github.com
- Teams Watchlist Login
- Unerledigt Login
JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Jupyter ≫ Jupyterhub Version < 4.1.6
Jupyter ≫ Jupyterhub Version5.0.0 Update-
Jupyter ≫ Jupyterhub Version5.0.0 Updatebeta1
Jupyter ≫ Jupyterhub Version5.0.0 Updatebeta2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.283 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 7.2 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
|
CWE-274 Improper Handling of Insufficient Privileges
The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.