MEDIUM 5.4

GHSA-m68r-v472-jgq9

JupyterHub has cross-origin form POSTs bypass XSRF (CWE-352)

Details

## Summary

JupyterHub's XSRF protection (updated in 4.1.0) inappropriately treated requests with `Sec-Fetch-Mode: no-cors` as same-origin requests, which they are not, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as `/hub/spawn` and `/hub/accept-share`, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker's server.

## Patches

Upgrade to JupyterHub 5.4.5.

## Mitigations

If a reverse proxy is in use, drop requests to JupyterHub with `Sec-Fetch-Mode: no-cors`.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / jupyterhub

Introduced in: 4.1.0 Fixed in: 5.4.5

Fix pip install --upgrade 'jupyterhub>=5.4.5'

References

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9 [WEB]
https://github.com/jupyterhub/jupyterhub [PACKAGE]