CVE-2021-41194: 
Python vulnerability analysis and mitigation

FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. A critical vulnerability (CVE-2021-41194) was discovered in versions prior to 1.0.0 that allows unauthorized access to any user's account if create_users=True and the username is known or guessed (GitHub Advisory). The vulnerability was disclosed on October 28, 2021.

The vulnerability stems from a mismatch in username normalization between JupyterHub and FirstUseAuthenticator. While JupyterHub normalizes usernames to lowercase, FirstUseAuthenticator did not perform this normalization, allowing alternate capitalizations of usernames to gain unauthorized access to user accounts. This created parallel paths to user files where multiple capitalizations of the same username could access the account (GitHub PR).

When exploited, this vulnerability allows unauthorized users to access any existing user's account by using different capitalizations of the username, as long as the create_users configuration option is enabled and the target username is known or can be guessed. This could lead to unauthorized access to sensitive data and resources within affected JupyterHub instances (GitHub Advisory).

The primary mitigation is to upgrade to FirstUseAuthenticator version 1.0.0 or later. For those who cannot upgrade immediately, a partial workaround exists by disabling user creation with c.FirstUseAuthenticator.create_users = False. However, this workaround only protects users who have previously logged in with their normalized username. Users who have never logged in with their normalized username remain vulnerable until a patch is applied or an upgrade is performed (GitHub Advisory).