Firstuseauthenticator
Approved changes feed: RSS · Atom
cpe:2.3:a:jupyterhub:firstuseauthenticator:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Jupyterhub (b9fc67de-411f-5996-aa79-a32cff5a7e29) |
|---|---|
| Product | Firstuseauthenticator (c88d50d1-9691-52a0-95e6-b29b2feb4238) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2021-41194 |
vulnerable | 2026-06-08 05:35:19.984606 |
Improper Access Control in jupyterhub-firstuseauthenticator
CRITICAL (9.1)
FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if `create_users=True` and the username is known or guessed. One may upgrade to version 1.0.0 or apply a patch manually to mitigate the vulnerability. For those who cannot upgrade, there is no complete workaround, but a partial mitigation exists. One can disable user creation with `c.FirstUseAuthenticator.create_users = False`, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until a patch or upgrade occurs.
Published: 2021-10-28T19:40:12.000Z
Updated: 2024-08-04T03:08:31.328Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.