CVE-2024-41942

HIGH7.2EPSS 0.13%

JupyterHub has a privilege escalation vulnerability with the `admin:users` scope

發布日:2024/8/8修改日:2026/2/4
也稱為:GHSA-9x4q-3gxw-849fBIT-jupyterhub-2024-41942CGA-ww33-3ggr-pcpgPYSEC-2024-200

描述

### Summary If a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. ### Details The `admin:users` scope allows a user to edit user records: > admin:users > > Read, write, create and delete users and their authentication state, not including their servers or tokens. > > -- https://jupyterhub.readthedocs.io/en/stable/rbac/scopes.html#available-scopes However, this includes making users admins. Admin users are granted scopes beyond `admin:users` making this a mechanism by which granted scopes may be escalated. ### Impact The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional.

受影響套件(4)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osvCVSS 3.1HIGH7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

參考連結(7)