GHSA-GPRJ-3P75-F996

Vulnerability from github – Published: 2024-06-12 17:13 – Updated: 2024-06-12 19:24
VLAI?
Summary
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
Details

Impact

JupyterHub < 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. The configuration for this would look like:

# Require users to be using the "foo.horse" identity provider, often an institution or university
c.GlobusAuthenticator.identity_provider = "foo.horse"
# Allow everyone who has that identity provider to log in
c.GlobusAuthenticator.allow_all = True

This worked fine prior to JupyterHub 5.0, because allow_all did not take precedence over identity_provider.

Since JupyterHub 5.0, allow_all does take precedence over identity_provider. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider. identity_provider will basically be ignored.

This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise.

Patches

OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions.

Workarounds

Do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator in the prior configuration.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "oauthenticator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "16.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-37300"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-12T17:13:07Z",
    "nvd_published_at": "2024-06-12T16:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nJupyterHub \u003c 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. The configuration for this would look like:\n\n```python\n# Require users to be using the \"foo.horse\" identity provider, often an institution or university\nc.GlobusAuthenticator.identity_provider = \"foo.horse\"\n# Allow everyone who has that identity provider to log in\nc.GlobusAuthenticator.allow_all = True\n```\n\nThis worked fine prior to JupyterHub 5.0, because `allow_all` *did not* take precedence over `identity_provider`.\n\nSince JupyterHub 5.0, `allow_all` *does* take precedence over `identity_provider`. On a hub with the same config, now **all** users will be allowed to login, regardless of `identity_provider`. `identity_provider` will basically be ignored.\n\nThis is a [documented change](https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users) in JupyterHub 5.0,\nbut is likely to catch many users by surprise.\n\n### Patches\n\nOAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions.\n\n### Workarounds\n\nDo not upgrade to JupyterHub 5.0 when using `GlobusOAuthenticator` in the prior configuration.",
  "id": "GHSA-gprj-3p75-f996",
  "modified": "2024-06-12T19:24:05Z",
  "published": "2024-06-12T17:13:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37300"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterhub/oauthenticator"
    },
    {
      "type": "WEB",
      "url": "https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.