Base Score

HIGH7.9

CVE-2020-26261

jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15

VectorLOCAL

Published Bysecurity-advisories@github.com

Published DateDec 09, 2020, 17:15

Affected Versions(1)

jupyterhub-systemdspawner(PyPI)

Introduced0

Fixed0.15.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
jupyterhub-systemdspawner(PyPI)	0	0.15.0	N/A

Weakness Type (CWE):CWE-668

CVSS Metrics

Base Score

7.9

Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

HIGH7.9

Weakness Type (CWE):CWE-668

CVSS Metrics

Base Score

7.9

Vector String

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

REQUIRED

Scope (S)

CHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE