CVE-2020-15110

Published: Jul 17, 2020Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12.

Affected (1)

Products: Jupyterhub: Kubespawner

Jupyterhub

1 product

Kubespawner

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jupyterhub Kubespawner	Before 0.12

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (4)

https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8eff4bb1d0

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gr

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8eff4bb1d0

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gr

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.