GHSA-cw7p-q79f-m2v7

Suggest an improvement
Source
https://github.com/advisories/GHSA-cw7p-q79f-m2v7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-cw7p-q79f-m2v7/GHSA-cw7p-q79f-m2v7.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cw7p-q79f-m2v7
Aliases
Published
2021-11-08T18:02:37Z
Modified
2024-09-24T21:27:37.884550Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
incomplete JupyterHub logout with simultaneous JupyterLab sessions
Details

Impact

Users of JupyterLab with JupyterHub who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place.

Patches

Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the user environment that needs patching. There are no patches necessary in the Hub environment.

Workarounds

The only workaround is to make sure that only one JupyterLab tab is open when you log out.

Database specific
{
    "nvd_published_at": "2021-11-04T18:15:00Z",
    "cwe_ids": [
        "CWE-613"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-04T17:49:19Z"
}
References

Affected packages

PyPI / jupyterhub

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.5.0

Affected versions

1.*

1.0.0
1.1.0b1
1.1.0
1.2.0b1
1.2.0
1.2.1
1.2.2
1.3.0
1.4.0
1.4.1
1.4.2