GHSA-cw7p-q79f-m2v7
Vulnerability from github
Published
2021-11-08 18:02
Modified
2024-09-24 20:50
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N
Summary
incomplete JupyterHub logout with simultaneous JupyterLab sessions
Details

Impact

Users of JupyterLab with JupyterHub who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place.

Patches

Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the user environment that needs patching. There are no patches necessary in the Hub environment.

Workarounds

The only workaround is to make sure that only one JupyterLab tab is open when you log out.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterhub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41247"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-04T17:49:19Z",
    "nvd_published_at": "2021-11-04T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nUsers of JupyterLab with JupyterHub who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place.\n\n### Patches\n\nUpgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment.\n\n### Workarounds\n\nThe only workaround is to make sure that only one JupyterLab tab is open when you log out.",
  "id": "GHSA-cw7p-q79f-m2v7",
  "modified": "2024-09-24T20:50:54Z",
  "published": "2021-11-08T18:02:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41247"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterhub/jupyterhub"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2021-386.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "incomplete JupyterHub logout with simultaneous JupyterLab sessions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.