Search criteria
3 vulnerabilities found for lti_jupyterhub_authenticator by jupyter
FKIE_CVE-2023-25574
Vulnerability from fkie_nvd - Published: 2025-02-25 15:15 - Updated: 2025-09-02 21:36
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jupyter | lti_jupyterhub_authenticator | 1.3.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jupyter:lti_jupyterhub_authenticator:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "972A882C-4130-4E8C-9B39-B83A2AF78F24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn\u0027t validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available."
},
{
"lang": "es",
"value": "`jupyterhub-ltiauthenticator` es un autenticador de JupyterHub para la interoperabilidad de herramientas de aprendizaje (LTI). LTI13Authenticator, que se introdujo en `jupyterhub-ltiauthenticator` 1.3.0, no validaba las firmas JWT. Se cree que esto permite que LTI13Authenticator autorice una solicitud falsificada. Solo los usuarios que han configurado una instalaci\u00f3n de JupyterHub para usar la clase de autenticador `LTI13Authenticator` se ven afectados. La versi\u00f3n 1.4.0 de `jupyterhub-ltiauthenticator` elimina LTI13Authenticator para solucionar el problema. No hay workarounds conocidos disponibles."
}
],
"id": "CVE-2023-25574",
"lastModified": "2025-09-02T21:36:09.113",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-02-25T15:15:16.227",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2023-25574 (GCVE-0-2023-25574)
Vulnerability from cvelistv5 – Published: 2025-02-25 14:42 – Updated: 2025-02-25 14:51
VLAI?
Summary
`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.
Severity ?
10 (Critical)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jupyterhub | ltiauthenticator |
Affected:
= 1.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25574",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:50:01.151150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:51:02.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ltiauthenticator",
"vendor": "jupyterhub",
"versions": [
{
"status": "affected",
"version": "= 1.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn\u0027t validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:42:33.337Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp"
},
{
"name": "https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164"
},
{
"name": "https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01"
}
],
"source": {
"advisory": "GHSA-mcgx-2gcr-p3hp",
"discovery": "UNKNOWN"
},
"title": "JupyterHub\u0027s LTI13Authenticator: JWT signature not validated"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25574",
"datePublished": "2025-02-25T14:42:33.337Z",
"dateReserved": "2023-02-07T17:10:00.741Z",
"dateUpdated": "2025-02-25T14:51:02.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25574 (GCVE-0-2023-25574)
Vulnerability from nvd – Published: 2025-02-25 14:42 – Updated: 2025-02-25 14:51
VLAI?
Summary
`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.
Severity ?
10 (Critical)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jupyterhub | ltiauthenticator |
Affected:
= 1.3.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25574",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:50:01.151150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:51:02.754Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ltiauthenticator",
"vendor": "jupyterhub",
"versions": [
{
"status": "affected",
"version": "= 1.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn\u0027t validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:42:33.337Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp"
},
{
"name": "https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164"
},
{
"name": "https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01"
}
],
"source": {
"advisory": "GHSA-mcgx-2gcr-p3hp",
"discovery": "UNKNOWN"
},
"title": "JupyterHub\u0027s LTI13Authenticator: JWT signature not validated"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-25574",
"datePublished": "2025-02-25T14:42:33.337Z",
"dateReserved": "2023-02-07T17:10:00.741Z",
"dateUpdated": "2025-02-25T14:51:02.754Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}