CVE-2021-41194

FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.

CVSS v3 9.8 CRITICAL
CVSS v2.0 6.8 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/jupyterhub/firstuseauthenticator/pull/38	Patch Third Party Advisory
https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch	Patch Third Party Advisory
https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jupyterhub:first_use_authenticator:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-10-28 20:15

Updated : 2021-11-03 12:26

NVD link : CVE-2021-41194

Mitre link : CVE-2021-41194

CVE.ORG link : CVE-2021-41194

JSON object : View

Products Affected

jupyterhub

first_use_authenticator

CWE

NVD-CWE-noinfo CWE-284

Improper Access Control

{"id": "CVE-2021-41194", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2021-10-28T20:15:07.680", "references": [{"url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs."}, {"lang": "es", "value": "FirstUseAuthenticator es un autentificador de JupyterHub que ayuda a los nuevos usuarios a establecer su contrase\u00f1a en su primer acceso a JupyterHub. Cuando es usado JupyterHub con FirstUseAuthenticator, una vulnerabilidad en versiones anteriores a 1.0.0, permite el acceso no autorizado a la cuenta de cualquier usuario si \"create_users=True\" y el nombre de usuario es conocido o adivinado. Es posible actualizar a la versi\u00f3n 1.0.0 o aplicar un parche manualmente para mitigar la vulnerabilidad. Para aquellos que no puedan actualizar, no se presenta una soluci\u00f3n completa, pero se presenta una mitigaci\u00f3n parcial. Es posible deshabilitar la creaci\u00f3n de usuarios con \"c.FirstUseAuthenticator.create_users = False\", que s\u00f3lo permitir\u00e1 el inicio de sesi\u00f3n con nombres de usuario totalmente normalizados para los usuarios ya existentes antes de jupyterhub-firstuserauthenticator versi\u00f3n 1.0.0. Si alg\u00fan usuario nunca ha iniciado sesi\u00f3n con su nombre de usuario normalizado (es decir, en min\u00fasculas), seguir\u00e1 siendo vulnerable hasta que se aplique un parche o se actualice"}], "lastModified": "2021-11-03T12:26:50.987", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jupyterhub:first_use_authenticator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B0092B2-B3BB-4884-833C-96DC76B68D5B", "versionEndExcluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}