{"id":"PYSEC-2020-52","details":"jupyterhub-systemdspawner enables JupyterHub to spawn single-user notebook servers using systemd. In jupyterhub-systemdspawner before version 0.15 user API tokens issued to single-user servers are specified in the environment of systemd units. These tokens are incorrectly accessible to all users. In particular, the-littlest-jupyterhub is affected, which uses systemdspawner by default. This is patched in jupyterhub-systemdspawner v0.15","aliases":["CVE-2020-26261","GHSA-cg54-gpgr-4rm6"],"modified":"2023-11-01T04:52:44.579829Z","published":"2020-12-09T17:15:00Z","references":[{"type":"ADVISORY","url":"https://github.com/jupyterhub/systemdspawner/security/advisories/GHSA-cg54-gpgr-4rm6"},{"type":"FIX","url":"https://github.com/jupyterhub/systemdspawner/commit/a4d08fd2ade1cfd0ef2c29dc221e649345f23580"},{"type":"PACKAGE","url":"https://pypi.org/project/jupyterhub-systemdspawner/"},{"type":"WEB","url":"https://github.com/jupyterhub/systemdspawner/blob/master/CHANGELOG.md#v015"}],"affected":[{"package":{"name":"jupyterhub-systemdspawner","ecosystem":"PyPI","purl":"pkg:pypi/jupyterhub-systemdspawner"},"ranges":[{"type":"GIT","repo":"https://github.com/jupyterhub/systemdspawner","events":[{"introduced":"0"},{"fixed":"a4d08fd2ade1cfd0ef2c29dc221e649345f23580"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.15.0"}]}],"versions":["0.9","0.9.1","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9","0.9.10","0.9.11","0.9.12","0.10","0.11","0.12","0.13","0.14"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/jupyterhub-systemdspawner/PYSEC-2020-52.yaml"}}],"schema_version":"1.7.3"}