CVSS: 7.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-26261 – user-readable api tokens in systemd units
https://notcve.org/view.php?id=CVE-2020-26261
09 Dec 2020 — jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15 jupyterhub-systemdspawner permite que JupyterHub genere servidores de por... • https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015 • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15110 – Possible pod name collisions in jupyterhub-kubespawner
https://notcve.org/view.php?id=CVE-2020-15110
17 Jul 2020 — In jupyterhub-kubespawner before 0.12, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames. This has been fixed in 0.12. En jupyterhub-kubespawner versiones anteriores a 0.12, determinados nombres de usuario serán capaces de diseñar nombres de servidores particulares que les otorgarán acceso al servidor predeterminado de otros usuarios que presentan nombres de usuario coincidentes. Esto ha sido corregid... • https://github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8eff4bb1d0 • CWE-863: Incorrect Authorization •