Cross-Site Request Forgery in JupyterHub Admin Panel
CVE-2020-36191

4.5MEDIUM

Key Information:

Vendor

Jupyter

Status
Jupyterhub
Vendor
CVE Published:
13 January 2021

What is CVE-2020-36191?

JupyterHub version 1.1.0 contains a vulnerability that allows for Cross-Site Request Forgery (CSRF) in the admin panel. This issue occurs when a request is made without a required _xsrf field, enabling malicious actors to exploit this flaw to add or remove user accounts without proper authorization. It is crucial for administrators to be aware of this vulnerability to implement appropriate security measures to protect against potential unauthorized actions.

References

https://github.com/jupyterhub/jupyterhub/issues/3304
x_refsource_MISC
https://github.com/jupyterhub/jupyterhub/releases
x_refsource_MISC

CVSS V3.1

Score:
4.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.