CVE-2024-37300

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-37300

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-37300.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-37300

Aliases

GHSA-gprj-3p75-f996

Related

CGA-qwcg-8rgg-jfqm

Published

2024-06-12T16:15:12Z

Modified

2024-10-12T11:25:01.920594Z

Summary

[none]

Details

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allow_all did not take precedence over identity_provider. Since JupyterHub 5.0, allow_all does take precedence over identity_provider. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider. identity_provider will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator in the prior configuration.

References

Affected packages

Git / github.com/jupyterhub/oauthenticator

Affected ranges

Type: GIT
Repo: https://github.com/jupyterhub/oauthenticator
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d1aea05fa89f2beae15ab0fa0b0d071030f79654

Affected versions

0.*

0.10.0

0.11.0

0.12.0

0.12.1

0.12.3

0.13.0

0.2.0

0.3.0

0.4.0

0.4.1

0.5.0

0.5.1

0.6.0

0.6.1

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.8.2

14.*

14.0.0

14.1.0

14.2.0

15.*

15.0.0

15.0.1

15.1.0

16.*

16.0.0

16.0.1

16.0.2

16.0.3

16.0.4

16.0.5

16.0.6

16.0.7

16.1.0

16.1.1

16.2.0

16.2.1

16.3.0