Vulnerability Description
In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jupyterhub | Kubespawner | < 0.12 |
Related Weaknesses (CWE)
References
- https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8PatchThird Party Advisory
- https://github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gExploitThird Party Advisory
- https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8PatchThird Party Advisory
- https://github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gExploitThird Party Advisory
FAQ
What is CVE-2020-15110?
CVE-2020-15110 is a vulnerability with a CVSS score of 6.8 (MEDIUM). In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. Th...
How severe is CVE-2020-15110?
CVE-2020-15110 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15110?
Check the references section above for vendor advisories and patch information. Affected products include: Jupyterhub Kubespawner.