Impact
When JupyterHub is used with FirstUseAuthenticator, the vulnerability allows unauthorized access to any user's account if create_users=True and the username is known or guessed.
Patches
Upgrade to jupyterhub-firstuseauthenticator to 1.0, or apply patch https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch
Workarounds
If you cannot upgrade, there is no complete workaround, but it can be mitigated.
If you cannot upgrade yet, you can disable user creation with c.FirstUseAuthenticator.create_users = False, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until you can patch or upgrade.
georgejhunt Analyst
Impact
When JupyterHub is used with FirstUseAuthenticator, the vulnerability allows unauthorized access to any user's account if
create_users=Trueand the username is known or guessed.Patches
Upgrade to jupyterhub-firstuseauthenticator to 1.0, or apply patch https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch
Workarounds
If you cannot upgrade, there is no complete workaround, but it can be mitigated.
If you cannot upgrade yet, you can disable user creation with
c.FirstUseAuthenticator.create_users = False, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until you can patch or upgrade.