cve/2024/CVE-2024-41942.md

### [CVE-2024-41942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41942)
![](https://img.shields.io/static/v1?label=Product&message=jupyterhub&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%204.1.6%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-274%3A%20Improper%20Handling%20of%20Insufficient%20Privileges&color=brighgreen)

### Description

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users.In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds