CVE-2020-36191 Information

Jun 07, 2022 cve

Description

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field as demonstrated by a /hub/api/user request (to add or remove a user account).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N

Reference

https://github.com/jupyterhub/jupyterhub/releases https://github.com/jupyterhub/jupyterhub/issues/3304

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

4.5

Share on: