pysec - pysec-2023-271

PYSEC-2023-271

Vulnerability from pysec - Published: 2023-12-29 17:16 - Updated: 2024-11-21 14:22

Details

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect (OIDC) email addresses from ID tokens to verify the validity of a user's domain, but because users have the ability to change their email address, they could create accounts and use resources in clusters that they should not have access to. For example, a user could create a Microsoft or Google account and then change their email to test@example.org. This account can then be used to create a Hail Batch account in Hail Batch clusters whose organization domain is example.org. The attacker is not able to access private data or impersonate another user, but they would have the ability to run jobs if Hail Batch billing projects are enabled and create Azure Tenants if they have Azure Active Directory Administrator access.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Impacted products

Name	purl
hail	pkg:pypi/hail

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "hail",
        "purl": "pkg:pypi/hail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.127"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.2",
        "0.2.1",
        "0.2.10",
        "0.2.100",
        "0.2.101",
        "0.2.102",
        "0.2.103",
        "0.2.104",
        "0.2.105",
        "0.2.106",
        "0.2.107",
        "0.2.108",
        "0.2.109",
        "0.2.11",
        "0.2.110",
        "0.2.111",
        "0.2.112",
        "0.2.113",
        "0.2.114",
        "0.2.115",
        "0.2.116",
        "0.2.117",
        "0.2.118",
        "0.2.119",
        "0.2.12",
        "0.2.120",
        "0.2.121",
        "0.2.122",
        "0.2.123",
        "0.2.124",
        "0.2.125",
        "0.2.126",
        "0.2.13",
        "0.2.14",
        "0.2.15",
        "0.2.16",
        "0.2.17",
        "0.2.18",
        "0.2.19",
        "0.2.2",
        "0.2.20",
        "0.2.21",
        "0.2.22",
        "0.2.23",
        "0.2.24",
        "0.2.25",
        "0.2.26",
        "0.2.27",
        "0.2.28",
        "0.2.29",
        "0.2.3",
        "0.2.30",
        "0.2.31",
        "0.2.32",
        "0.2.33",
        "0.2.34",
        "0.2.35",
        "0.2.36",
        "0.2.37",
        "0.2.38",
        "0.2.39",
        "0.2.4",
        "0.2.40",
        "0.2.41",
        "0.2.42",
        "0.2.43",
        "0.2.44",
        "0.2.45",
        "0.2.46",
        "0.2.47",
        "0.2.48",
        "0.2.49",
        "0.2.5",
        "0.2.50",
        "0.2.51",
        "0.2.52",
        "0.2.53",
        "0.2.54",
        "0.2.55",
        "0.2.56",
        "0.2.57",
        "0.2.58",
        "0.2.59",
        "0.2.6",
        "0.2.60",
        "0.2.61",
        "0.2.62",
        "0.2.63",
        "0.2.64",
        "0.2.65",
        "0.2.66",
        "0.2.67",
        "0.2.68",
        "0.2.69",
        "0.2.7",
        "0.2.70",
        "0.2.71",
        "0.2.72",
        "0.2.73",
        "0.2.74",
        "0.2.75",
        "0.2.76",
        "0.2.77",
        "0.2.78",
        "0.2.79",
        "0.2.8",
        "0.2.80",
        "0.2.81",
        "0.2.82",
        "0.2.83",
        "0.2.84",
        "0.2.85",
        "0.2.86",
        "0.2.87",
        "0.2.88",
        "0.2.89",
        "0.2.9",
        "0.2.90",
        "0.2.91",
        "0.2.92",
        "0.2.93",
        "0.2.94",
        "0.2.95",
        "0.2.96",
        "0.2.97",
        "0.2.98",
        "0.2.99"
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51663",
    "GHSA-487p-qx68-5vjw"
  ],
  "details": "Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect (OIDC) email addresses from ID tokens to verify the validity of a user\u0027s domain, but because users have the ability to change their email address, they could create accounts and use resources in clusters that they should not have access to. For example, a user could create a Microsoft or Google account and then change their email to `test@example.org`. This account can then be used to create a Hail Batch account in Hail Batch clusters whose organization domain is `example.org`. The attacker is not able to access private data or impersonate another user, but they would have the ability to run jobs if Hail Batch billing projects are enabled and create Azure Tenants if they have Azure Active Directory Administrator access.",
  "id": "PYSEC-2023-271",
  "modified": "2024-11-21T14:22:51.672042+00:00",
  "published": "2023-12-29T17:16:00+00:00",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/hail-is/hail/security/advisories/GHSA-487p-qx68-5vjw"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-487P-QX68-5VJW

Vulnerability from github – Published: 2024-01-02 16:40 – Updated: 2024-11-22 17:59

Summary

Hail relies on OIDC email claims to verify the validity of a user's domain.

Details

Impact

All Hail Batch clusters are affected. An attacker is able to:

Create one or more accounts with Hail Batch without corresponding real accounts in the organization.

For example, a user could create a Microsoft or Google account and then change their email to "inconspicuous@example.org". This Microsoft or Google account can then be used to create a Hail Batch account in Hail Batch clusters whose organization domain is "example.org".

In Google, this attack is partially mitigated because Google requires users to verify ownership of their Google account. However, a valid user is able to create multiple distinct Hail Batch accounts by creating multiple distinct Google accounts using email addresses of the form "real_user_email_name+random_id@example.org".

In Microsoft, this attack requires Azure AD Administrator access to an Azure AD Tenant. The Azure AD Administrator is permitted to change the email address of an account to any other email address without verification. An attacker can create an Azure Tenant for free.

The attacker does not have access to any private data (because the new service principals or service accounts are not granted any privileges).
If trial Hail Batch billing projects are enabled, the attacker does have the ability to run jobs and thus spend money. An attacker can create as many accounts as Microsoft or Google permit.
The attacker cannot impersonate another user because, in Azure, we use the sub from the OAuth2 response, and, in Google, Google does an email verification.

Remediation

Apply this patch to prevent third-party attackers from creating accounts.
Audit your users list https://auth.example.org/users for user accounts whose login ids are not valid login ids with your identity provider. Delete such users.

A forthcoming change will prevent users from creating multiple accounts using Google's + email redirection.

Workarounds

None.

References

https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of/
https://www.descope.com/blog/post/noauth
https://developers.google.com/identity/openid-connect/openid-connect#an-id-tokens-payload
https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference#payload-claims

[1] Hail Batch must separately stop using emails and start using the OAuth2 sub in Google. This is a known deficiency. In particular, if an email is re-used by the organization for a new user, the new user could access the old user's Hail Batch account.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "hail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.127"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-51663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-289"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-02T16:40:58Z",
    "nvd_published_at": "2023-12-29T17:16:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAll Hail Batch clusters are affected. An attacker is able to:\n\n1. Create one or more accounts with Hail Batch without corresponding real accounts in the organization.\n\nFor example, a user could create a Microsoft or Google account and then change their email to \"inconspicuous@example.org\". This Microsoft or Google account can then be used to create a Hail Batch account in Hail Batch clusters whose organization domain is \"example.org\".\n\nIn Google, this attack is partially mitigated because Google requires users to verify ownership of their Google account. However, a valid user is able to create multiple distinct Hail Batch accounts by creating multiple distinct Google accounts using email addresses of the form \"real_user_email_name+random_id@example.org\".\n\nIn Microsoft, this attack requires Azure AD Administrator access to an Azure AD Tenant. The Azure AD Administrator is permitted to change the email address of an account to any other email address without verification. An attacker can create an Azure Tenant for free.\n\n1. The attacker *does not* have access to any private data (because the new service principals or service accounts are not granted any privileges).\n3. If trial Hail Batch billing projects are enabled, the attacker *does* have the ability to run jobs and thus spend money. An attacker can create as many accounts as Microsoft or Google permit.\n4. The attacker *cannot* impersonate another user because, in Azure, we use the `sub` from the OAuth2 response, and, in Google, Google does an email verification.\n\n### Remediation\n\n1. Apply this patch to prevent third-party attackers from creating accounts.\n2. Audit your users list https://auth.example.org/users for user accounts whose login ids are not valid login ids with your identity provider. Delete such users.\n\nA forthcoming change will prevent users from creating multiple accounts using Google\u0027s `+` email redirection.\n\n### Workarounds\nNone.\n\n### References\n1. https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of/\n2. https://www.descope.com/blog/post/noauth\n4. https://developers.google.com/identity/openid-connect/openid-connect#an-id-tokens-payload\n5. https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference#payload-claims\n\n[1] Hail Batch must separately stop using emails and start using the OAuth2 `sub` in Google. This is a known deficiency. In particular, if an email is re-used by the organization for a new user, the new user could access the old user\u0027s Hail Batch account.",
  "id": "GHSA-487p-qx68-5vjw",
  "modified": "2024-11-22T17:59:30Z",
  "published": "2024-01-02T16:40:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hail-is/hail/security/advisories/GHSA-487p-qx68-5vjw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51663"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hail-is/hail/commit/0dcc17ff24564b6f5592261d7975e8afd0f95de7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hail-is/hail"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/hail/PYSEC-2023-271.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hail relies on OIDC email claims to verify the validity of a user\u0027s domain."
}

CVE-2023-51663 (GCVE-0-2023-51663)

Vulnerability from cvelistv5 – Published: 2023-12-29 16:53 – Updated: 2025-04-17 20:14

Summary

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect (OIDC) email addresses from ID tokens to verify the validity of a user's domain, but because users have the ability to change their email address, they could create accounts and use resources in clusters that they should not have access to. For example, a user could create a Microsoft or Google account and then change their email to `test@example.org`. This account can then be used to create a Hail Batch account in Hail Batch clusters whose organization domain is `example.org`. The attacker is not able to access private data or impersonate another user, but they would have the ability to run jobs if Hail Batch billing projects are enabled and create Azure Tenants if they have Azure Active Directory Administrator access.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-289 - Authentication Bypass by Alternate Name

Assigner

GitHub_M

References

URL

Tags

https://github.com/hail-is/hail/security/advisori…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	hail-is	hail	Affected: < 0.2.127

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:40:34.155Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/hail-is/hail/security/advisories/GHSA-487p-qx68-5vjw",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/hail-is/hail/security/advisories/GHSA-487p-qx68-5vjw"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-51663",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-03T19:26:10.951535Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-17T20:14:52.468Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hail",
          "vendor": "hail-is",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.2.127"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect (OIDC) email addresses from ID tokens to verify the validity of a user\u0027s domain, but because users have the ability to change their email address, they could create accounts and use resources in clusters that they should not have access to. For example, a user could create a Microsoft or Google account and then change their email to `test@example.org`. This account can then be used to create a Hail Batch account in Hail Batch clusters whose organization domain is `example.org`. The attacker is not able to access private data or impersonate another user, but they would have the ability to run jobs if Hail Batch billing projects are enabled and create Azure Tenants if they have Azure Active Directory Administrator access."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-289",
              "description": "CWE-289: Authentication Bypass by Alternate Name",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-29T16:53:36.692Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/hail-is/hail/security/advisories/GHSA-487p-qx68-5vjw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/hail-is/hail/security/advisories/GHSA-487p-qx68-5vjw"
        }
      ],
      "source": {
        "advisory": "GHSA-487p-qx68-5vjw",
        "discovery": "UNKNOWN"
      },
      "title": "Hail authentication can be bypassed by changing email address"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-51663",
    "datePublished": "2023-12-29T16:53:36.692Z",
    "dateReserved": "2023-12-21T14:14:26.224Z",
    "dateUpdated": "2025-04-17T20:14:52.468Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2023-271

GHSA-487P-QX68-5VJW

Impact

Remediation

Workarounds

References

CVE-2023-51663 (GCVE-0-2023-51663)

Tags

Sightings

Nomenclature