Vulnerabilities > CVE-2020-26261 - Exposure of Resource to Wrong Sphere vulnerability in Jupyterhub Systemdspawner

CVSS 7.9 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

local

low complexity

jupyterhub

CWE-668

NVD

Published: 2020-12-09

Updated: 2020-12-10

Summary

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15

Vulnerable Configurations

Part	Description	Count
Application	Jupyterhub Jupyterhub Systemdspawner 0.9 Jupyterhub Systemdspawner 0.9.1 Jupyterhub Systemdspawner 0.9.5 Jupyterhub Systemdspawner 0.9.6 Jupyterhub Systemdspawner 0.9.7 Jupyterhub Systemdspawner 0.9.8 Jupyterhub Systemdspawner 0.9.9 Jupyterhub Systemdspawner 0.9.10 Jupyterhub Systemdspawner 0.9.11 Jupyterhub Systemdspawner 0.9.12 Jupyterhub Systemdspawner 0.10 Jupyterhub Systemdspawner 0.11 Jupyterhub Systemdspawner 0.12 Jupyterhub Systemdspawner 0.13 Jupyterhub Systemdspawner 0.14	15

Common Weakness Enumeration (CWE)

CWE-668 - Exposure of Resource to Wrong Sphere

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References