CVE-2020-26250
published 2020-12-01CVE-2020-26250: OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2)…
PriorityP337medium6.3CVSS 3.1
AVNACHPRLUINSCCHINAN
EPSS
1.11%
61.8th percentile
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected. All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the `admin.whitelist.users` configuration in the jupyterhub helm chart or the `c.Authenticator.whitelist` configuration directly. Users of other deprecated configuration, e.g. `c.GitHubOAuthenticator.team_whitelist` are **not** affected. If you see a log line like this and expect a specific list of allowed usernames: "[I 2020-11-27 16:51:54.528 JupyterHub app:1717] Not using allowed_users. Any authenticated user will be allowed." you are likely affected. Updating oauthenticator to 0.12.2 is recommended. A workaround is to replace the deprecated `c.Authenticator.whitelist = ...` with `c.Authenticator.allowed_users = ...`. If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface, per the referenced documentation.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jupyter | oauthenticator | >= 0.12.0 < 0.12.2 | 0.12.2 |
| jupyterhub | oauthenticator | — | — |
| jupyterhub | oauthenticator | >= 0 < a4aac191c16cf6281f3d346615aefa75702b02d7 | a4aac191c16cf6281f3d346615aefa75702b02d7 |
| jupyterhub | oauthenticator | >= 0.12.0 < 0.12.2 | 0.12.2 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Base class whitelist configuration ignored in OAuthenticator
osv·2020-12-01
CVE-2020-26250 [HIGH] Base class whitelist configuration ignored in OAuthenticator
Base class whitelist configuration ignored in OAuthenticator
### Impact
__What goes wrong?__
The deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected.
__Who is impacted?__
All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the
OSV
CVE-2020-26250: OAuthenticator is an OAuth login mechanism for JupyterHub
osv·2020-12-01
CVE-2020-26250 CVE-2020-26250: OAuthenticator is an OAuth login mechanism for JupyterHub
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected. All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the `ad
GHSA
Base class whitelist configuration ignored in OAuthenticator
ghsa·2020-12-01
CVE-2020-26250 [HIGH] CWE-863 Base class whitelist configuration ignored in OAuthenticator
Base class whitelist configuration ignored in OAuthenticator
### Impact
__What goes wrong?__
The deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected.
__Who is impacted?__
All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/jupyterhub/oauthenticator/blob/master/docs/source/changelog.md#0122---2020-11-30https://github.com/jupyterhub/oauthenticator/commit/a4aac191c16cf6281f3d346615aefa75702b02d7https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-384w-5v3f-q499https://jupyterhub.readthedocs.io/en/1.2.2/getting-started/authenticators-users-basics.html#add-or-remove-users-from-the-hubhttps://github.com/jupyterhub/oauthenticator/blob/master/docs/source/changelog.md#0122---2020-11-30https://github.com/jupyterhub/oauthenticator/commit/a4aac191c16cf6281f3d346615aefa75702b02d7https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-384w-5v3f-q499https://jupyterhub.readthedocs.io/en/1.2.2/getting-started/authenticators-users-basics.html#add-or-remove-users-from-the-hub
2020-12-01
Published