CVE-2021-41194

CRITICAL

JupyterHub <1.0.0 - Privilege Escalation

Title source: llm
STIX 2.1

Description

FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.

References (3)

Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyterhub/firstuseauthenticator/pull/38
Patch, Third Party Advisory x_refsource_misc
https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch

Scores

CVSS v3 9.1
EPSS 0.0132
EPSS Percentile 67.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-284
Status published
Products (2)
jupyterhub/first_use_authenticator < 1.0.0
pypi/jupyterhub-firstuseauthenticator 0 - 1.0.0PyPI
Published Oct 28, 2021
Tracked Since Feb 18, 2026