CVE-2024-37300
published 2024-06-12CVE-2024-37300: OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with…
PriorityP348high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.40%
32.3th percentile
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because `allow_all` did not take precedence over `identity_provider`. Since JupyterHub 5.0, `allow_all` does take precedence over `identity_provider`. On a hub with the same config, now all users will be allowed to login, regardless of `identity_provider`. `identity_provider` will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using `GlobusOAuthenticator` in the prior configuration.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jupyterhub | oauthenticator | < 16.3.1 | 16.3.1 |
| jupyterhub | oauthenticator | >= 0 < 16.3.1 | 16.3.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
ghsa·2024-06-12
CVE-2024-37300 [HIGH] CWE-863 Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
### Impact
JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. The configuration for this would look like:
```python
# Require users to be using the "foo.horse" identity provider, often an institution or university
c.GlobusAuthenticator.identity_provider = "foo.horse"
# Allow everyone who has that identity provider to log in
c.GlobusAuthenticator.allow_all = True
```
This worked fine prior to JupyterHub 5.0, because `allow_all` *did not* take precedence over `identity_provider`.
Since JupyterHub 5.0, `allow_all` *does* take precedence over `identity_provider`. On a hub with the same config, now **all** users will be
OSV
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
osv·2024-06-12
CVE-2024-37300 [HIGH] Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
### Impact
JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. The configuration for this would look like:
```python
# Require users to be using the "foo.horse" identity provider, often an institution or university
c.GlobusAuthenticator.identity_provider = "foo.horse"
# Allow everyone who has that identity provider to log in
c.GlobusAuthenticator.allow_all = True
```
This worked fine prior to JupyterHub 5.0, because `allow_all` *did not* take precedence over `identity_provider`.
Since JupyterHub 5.0, `allow_all` *does* take precedence over `identity_provider`. On a hub with the same config, now **all** users will be
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-usershttps://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users
2024-06-12
Published