CVE Vulnerability

CVE-2020-26261

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15

3.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.4 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

7.9 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.5 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6 Third Party Advisory
https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580 Patch Third Party Advisory
https://pypi.org/project/jupyterhub-systemdspawner/ Product Third Party Advisory
https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015 Release Notes Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:jupyterhub:systemdspawner:*:*:*:*:*:*:*:*
Information

Published : 2020-12-09 05:15

Updated : 2020-12-10 09:46

NVD link : CVE-2020-26261

Mitre link : CVE-2020-26261

Products Affected
No products.
CWE
CWE-668