CVE-2021-41247: 
Python vulnerability analysis and mitigation

JupyterHub, an open source multi-user server for Jupyter notebooks, was affected by a security vulnerability (CVE-2021-41247) discovered in versions 1.0.0 through 1.4.2. The vulnerability was disclosed on November 4, 2021, and was patched in version 1.5.0. The issue affects users who have multiple JupyterLab tabs open in the same browser session (GitHub Advisory).

The vulnerability occurs when users have multiple JupyterLab tabs open simultaneously in the same browser session. During logout, the process may be incomplete as fresh credentials for the single-user server (but not the Hub) can be reinstated if another active JupyterLab session is open during the logout process. The vulnerability has been assigned a severity rating of Moderate and is classified under CWE-613 (GitHub Advisory).

When exploited, this vulnerability results in an incomplete logout state where the user's credentials for the single-user server remain valid even after attempting to log out. This could potentially allow continued access to the single-user server resources when access should have been terminated. Importantly, the Hub credentials are not affected by this issue (GitHub Advisory).

The primary mitigation is to upgrade to JupyterHub version 1.5.0 or later. For distributed deployments, the patch needs to be applied to jupyterhub in the user environment, with no patches necessary in the Hub environment. As a temporary workaround, users should ensure that only one JupyterLab tab is open when logging out (GitHub Advisory).