Main Vulnerability Database SB2021110429

SB2021110429 - Insufficient Session Expiration in jupyterhub

Published: November 4, 2021 Updated: April 28, 2026

Security Bulletin ID SB2021110429

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient Session Expiration (CVE-ID: CVE-2021-41247)

The vulnerability allows a remote user to regain access to the single-user server after logout.

The vulnerability exists due to insufficient session expiration in the JupyterHub single-user server session handling when logging out with another active JupyterLab session open in the same browser session. A remote user can keep multiple JupyterLab tabs open and log out in one tab to regain access to the single-user server after logout.

The issue affects fresh credentials for the single-user server only, not the Hub.

Remediation

Install update from vendor's website.

References

https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-cw7p-q79f-m2v7