Miggo Logo
Miggo Vulnerability Database
CVE-2020-36191

CVE-2020-36191: Cross-Site Request Forgery in JupyterHub

4.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36191
GHSA ID
GHSA-7xx3-qp5w-fw96
EPSS Score
0.32497%
CWE
CWE-352
Published
5/24/2022
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
jupyterhubpip< 1.2.0b11.2.0b1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from admin user management endpoints (/hub/api/user) not enforcing CSRF protection. In Tornado-based applications like JupyterHub, POST/DELETE handlers should call check_xsrf_cookie() or use @web.authenticated with xsrf protection. The GitHub issue (#3304) demonstrates these endpoints accept requests without _xsrf tokens, indicating missing CSRF checks in their handler methods. The UserAdminHandler's post() and delete() methods would be responsible for these actions, making them the likely vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Jupyt*r*u* *.*.* *llows *SR* in t** **min p*n*l vi* * r*qu*st t**t l**ks *n `_xsr*` *i*l*, *s **monstr*t** *y * /*u*/*pi/us*r r*qu*st (to *** or r*mov* * us*r ***ount).

Reasoning

T** vuln*r**ility st*ms *rom **min us*r m*n***m*nt *n*points (/*u*/*pi/us*r) not *n*or*in* *SR* prot**tion. In Torn**o-**s** *ppli**tions lik* Jupyt*r*u*, POST/**L*T* **n*l*rs s*oul* **ll ****k_xsr*_*ooki*() or us* @w**.*ut**nti**t** wit* xsr* prot**