CVE-2024-41942: 
Wolfi vulnerability analysis and mitigation

JupyterHub, a software that enables creation of multi-user servers for Jupyter notebooks, disclosed a privilege escalation vulnerability (CVE-2024-41942) affecting versions prior to 4.1.6 and 5.1.0. The vulnerability allows users with admin:users scope to escalate their privileges by making themselves full admin users (GitHub Advisory).

The vulnerability stems from insufficient privilege controls in the admin:users scope implementation. Users granted the admin:users scope, which normally allows reading, modifying, creating, and deleting users and their authentication state, could exploit this permission to elevate themselves to full admin status. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD).

The impact is considered relatively contained as the admin:users scope is already a highly privileged permission typically granted only to trusted users. However, the vulnerability effectively makes the admin:users scope equivalent to having full admin privileges (admin=True), which was not the intended behavior. The vulnerability does not affect the intentional functionality where users with group permissions can grant themselves or others permissions via group membership (GitHub Advisory).

The vulnerability has been patched in JupyterHub versions 4.1.6 and 5.1.0. Users are advised to upgrade to these or later versions to prevent privilege escalation. The fix prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions (GitHub Advisory).