GHSA-gprj-3p75-f996
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gprj-3p75-f996
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-gprj-3p75-f996/GHSA-gprj-3p75-f996.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-gprj-3p75-f996
- Aliases
- Related
- Published
- 2024-06-12T17:13:07Z
- Modified
- 2024-07-15T22:42:21.922673Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
- Details
-
Impact
JupyterHub < 5.0, when used with
GlobusOAuthenticator, could be configured to allow all users from a particular institution only. The configuration for this would look like:# Require users to be using the "foo.horse" identity provider, often an institution or university c.GlobusAuthenticator.identity_provider = "foo.horse" # Allow everyone who has that identity provider to log in c.GlobusAuthenticator.allow_all = TrueThis worked fine prior to JupyterHub 5.0, because
allow_alldid not take precedence overidentity_provider.Since JupyterHub 5.0,
allow_alldoes take precedence overidentity_provider. On a hub with the same config, now all users will be allowed to login, regardless ofidentity_provider.identity_providerwill basically be ignored.This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise.
Patches
OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions.
Workarounds
Do not upgrade to JupyterHub 5.0 when using
GlobusOAuthenticatorin the prior configuration. - Database specific
{ "nvd_published_at": "2024-06-12T16:15:12Z", "cwe_ids": [ "CWE-863" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-06-12T17:13:07Z" }- References
-
- https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996
- https://nvd.nist.gov/vuln/detail/CVE-2024-37300
- https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654
- https://github.com/jupyterhub/oauthenticator
- https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users
Affected packages
PyPI / oauthenticator
Package
- Name
- oauthenticator
- View open source insights on deps.dev
- Purl
- pkg:pypi/oauthenticator
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed16.3.1