user-readable api tokens in systemd units
CVE-2020-26261

7.9HIGH

Key Information:

Vendor

Jupyterhub

Status
Systemdspawner
Vendor
CVE Published:
9 December 2020

What is CVE-2020-26261?

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

systemdspawner < 0.15

References

https://github.com/jupyterhub/systemdspawner/security/adv...
x_refsource_CONFIRM
https://github.com/jupyterhub/systemdspawner/commit/a4d08...
x_refsource_MISC
https://github.com/jupyterhub/systemdspawner/blob/master/...
x_refsource_MISC

CVSS V3.1

Score:
7.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.