First published: Thu Nov 04 2021(Updated: )
### Impact Users of JupyterLab with JupyterHub who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. ### Patches Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. ### Workarounds The only workaround is to make sure that only one JupyterLab tab is open when you log out.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
pip/jupyterhub | >=1.0.0<1.5.0 | 1.5.0 |
Jupyter JupyterHub | >=1.0.0<1.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-41247 is a vulnerability in JupyterHub that can result in incomplete logout from the single-user server.
CVE-2021-41247 has a severity rating of 7.5 (high).
CVE-2021-41247 affects JupyterHub versions from 1.0.0 to 1.5.0.
To fix CVE-2021-41247, it is recommended to update JupyterHub to a version beyond 1.5.0.
More information about CVE-2021-41247 can be found in the following references: [link1](https://github.com/jupyterhub/jupyterhub/commit/5ac9e7f73a6e1020ffddc40321fc53336829fe27), [link2](https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7).