—

PYSEC-2021-67

Details

JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lacks an _xsrf field, as demonstrated by a /hub/api/user request (to add or remove a user account).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / jupyterhub

Introduced in: 0 Fixed in: 1.2.0b1

Fix pip install --upgrade 'jupyterhub>=1.2.0b1'

References

https://github.com/jupyterhub/jupyterhub/releases [WEB]
https://github.com/jupyterhub/jupyterhub/issues/3304 [REPORT]
https://github.com/advisories/GHSA-7xx3-qp5w-fw96 [ADVISORY]