Description
jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015
Product, Third Party Advisory x_refsource_misc
https://pypi.org/project/jupyterhub-systemdspawner/
Scores
CVSS v3
7.9
EPSS
0.0016
EPSS Percentile
36.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-668
Status
published
Products (2)
jupyterhub/systemdspawner
< 0.15
pypi/jupyterhub-systemdspawner
0 - 0.15.0PyPI
Published
Dec 09, 2020
Tracked Since
Feb 18, 2026