Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9x4q-3gxw-849f: JupyterHub has a privilege escalation vulnerability with the `admin:users` scope

Summary

If a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user.

Details

The admin:users scope allows a user to edit user records:

admin:users

Read, write, create and delete users and their authentication state, not including their servers or tokens.

– https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes

However, this includes making users admins. Admin users are granted scopes beyond admin:users making this a mechanism by which granted scopes may be escalated.

Impact

The impact is relatively small in that admin:users is already an extremely privileged scope only granted to trusted users. In effect, admin:users is equivalent to admin=True, which is not intended.

Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. groups permissions from granting themselves or other users permissions via group membership, which is intentional.

ghsa
Open in Source
#vulnerability#auth

Summary

If a user is granted the admin:users scope, they may escalate their own privileges by making themselves a full admin user.

Details

The admin:users scope allows a user to edit user records:

admin:users

Read, write, create and delete users and their authentication state, not including their servers or tokens.

– https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes

However, this includes making users admins. Admin users are granted scopes beyond admin:users making this a mechanism by which granted scopes may be escalated.

Impact

The impact is relatively small in that admin:users is already an extremely privileged scope only granted to trusted users.
In effect, admin:users is equivalent to admin=True, which is not intended.

Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. groups permissions from granting themselves or other users permissions via group membership, which is intentional.

References

  • GHSA-9x4q-3gxw-849f
  • jupyterhub/jupyterhub@99e2720
  • jupyterhub/jupyterhub@ff2db55

ghsa: Latest News

GHSA-486g-47cc-8wxf: aiocpa contains credential harvesting code
ghsa