CVE-2021-41194 - Vulnerability Details

Vendors	Products
Jupyterhub	First Use Authenticator

Link	Providers
https://github.com/jupyterhub/firstuseauthenticator/pull/38
https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch
https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3

{"containers": {"cna": {"affected": [{"product": "firstuseauthenticator", "vendor": "jupyterhub", "versions": [{"status": "affected", "version": "< 1.0.0"}]}], "descriptions": [{"lang": "en", "value": "FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-28T19:40:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch"}], "source": {"advisory": "GHSA-5xvc-vgmp-jgc3", "discovery": "UNKNOWN"}, "title": "Improper Access Control in jupyterhub-firstuseauthenticator", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41194", "STATE": "PUBLIC", "TITLE": "Improper Access Control in jupyterhub-firstuseauthenticator"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "firstuseauthenticator", "version": {"version_data": [{"version_value": "< 1.0.0"}]}}]}, "vendor_name": "jupyterhub"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284: Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3", "refsource": "CONFIRM", "url": "https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3"}, {"name": "https://github.com/jupyterhub/firstuseauthenticator/pull/38", "refsource": "MISC", "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38"}, {"name": "https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch", "refsource": "MISC", "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch"}]}, "source": {"advisory": "GHSA-5xvc-vgmp-jgc3", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.328Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41194", "datePublished": "2021-10-28T19:40:12", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.328Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jupyterhub:first_use_authenticator:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B0092B2-B3BB-4884-833C-96DC76B68D5B", "versionEndExcluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs."}, {"lang": "es", "value": "FirstUseAuthenticator es un autentificador de JupyterHub que ayuda a los nuevos usuarios a establecer su contrase\u00f1a en su primer acceso a JupyterHub. Cuando es usado JupyterHub con FirstUseAuthenticator, una vulnerabilidad en versiones anteriores a 1.0.0, permite el acceso no autorizado a la cuenta de cualquier usuario si \"create_users=True\" y el nombre de usuario es conocido o adivinado. Es posible actualizar a la versi\u00f3n 1.0.0 o aplicar un parche manualmente para mitigar la vulnerabilidad. Para aquellos que no puedan actualizar, no se presenta una soluci\u00f3n completa, pero se presenta una mitigaci\u00f3n parcial. Es posible deshabilitar la creaci\u00f3n de usuarios con \"c.FirstUseAuthenticator.create_users = False\", que s\u00f3lo permitir\u00e1 el inicio de sesi\u00f3n con nombres de usuario totalmente normalizados para los usuarios ya existentes antes de jupyterhub-firstuserauthenticator versi\u00f3n 1.0.0. Si alg\u00fan usuario nunca ha iniciado sesi\u00f3n con su nombre de usuario normalizado (es decir, en min\u00fasculas), seguir\u00e1 siendo vulnerable hasta que se aplique un parche o se actualice"}], "id": "CVE-2021-41194", "lastModified": "2024-11-21T06:25:44.330", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-28T20:15:07.680", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/jupyterhub/firstuseauthenticator/security/advisories/GHSA-5xvc-vgmp-jgc3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object