9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41194

GHSA ID

GHSA-5xvc-vgmp-jgc3

EPSS Score

0.56976%

CWE

CWE-284

Published

10/28/2021

Updated

9/24/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41194

CVE-2021-41194: Improper Access Control in jupyterhub-firstuseauthenticator

Impact

When JupyterHub is used with FirstUseAuthenticator, the vulnerability allows unauthorized access to any user's account if create_users=True and the username is known or guessed.

Patches

Upgrade to jupyterhub-firstuseauthenticator to 1.0, or apply patch https://github.com/jupyterhub/firstuseauthenticator/pull/38.patch

Workarounds

If you cannot upgrade, there is no complete workaround, but it can be mitigated.

If you cannot upgrade yet, you can disable user creation with c.FirstUseAuthenticator.create_users = False, which will only allow login with fully normalized usernames for already existing users prior to jupyterhub-firstuserauthenticator 1.0. If any users have never logged in with their normalized username (i.e. lowercase), they will still be vulnerable until you can patch or upgrade.

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41194

GHSA ID

GHSA-5xvc-vgmp-jgc3

EPSS Score

0.56976%

CWE

CWE-284

Published

10/28/2021

Updated

9/24/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jupyterhub-firstuseauthenticator	pip	< 1.0.0	1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from username normalization mismatch between JupyterHub core and the authenticator. The key vulnerable function was authenticate() which: 1. Originally used raw username input without normalization (pre-patch) 2. Stored passwords against non-normalized usernames in the DBM file 3. Allowed creation of duplicate accounts through case variations. The critical evidence is in the patch which added self.normalize_username() call and the _check_passwords() cleanup function to address this vulnerability. The authentication flow without proper normalization directly enabled the access control bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n Jupyt*r*u* is us** wit* *irstUs**ut**nti**tor, t** vuln*r**ility *llows un*ut*oriz** ****ss to *ny us*r's ***ount i* `*r**t*_us*rs=Tru*` *n* t** us*rn*m* is known or *u*ss**. ### P*t***s Up*r*** to jupyt*r*u*-*irstus**ut**nti**tor

Reasoning

T** vuln*r**ility st*mm** *rom us*rn*m* norm*liz*tion mism*t** **tw**n Jupyt*r*u* *or* *n* t** *ut**nti**tor. T** k*y vuln*r**l* *un*tion w*s *ut**nti**t*() w*i**: *. Ori*in*lly us** r*w us*rn*m* input wit*out norm*liz*tion (pr*-p*t**) *. Stor** p*ss

9.1

Basic Information

Concerned about an active attack path?

CVE-2021-41194: Improper Access Control in jupyterhub-firstuseauthenticator

Impact

Patches

Workarounds

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI