CVE-2020-26261

Опубликовано: 09 дек. 2020

Источник: nvd

CVSS3: 7.9

CVSS2: 3.3

EPSS Низкий

Описание

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15

Ссылки

https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015
Release Notes
Third Party Advisory
https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580
Patch
Third Party Advisory
https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6
Third Party Advisory
https://pypi.org/project/jupyterhub-systemdspawner/
Product
Third Party Advisory
https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015
Release Notes
Third Party Advisory
https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580
Patch
Third Party Advisory
https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6
Third Party Advisory
https://pypi.org/project/jupyterhub-systemdspawner/
Product
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jupyterhub:systemdspawner:*:*:*:*:*:*:*:*

Версия до 0.15 (исключая)

EPSS

Процентиль: 38%

0.00162

Низкий

7.9 High

CVSS3

3.3 Low

CVSS2

Дефекты

CWE-668

Связанные уязвимости

GHSA-cg54-gpgr-4rm6