Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ncHJqLTNwNzUtZjk5Ns4AA8-l
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
Impact
JupyterHub < 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. The configuration for this would look like:
# Require users to be using the "foo.horse" identity provider, often an institution or university
c.GlobusAuthenticator.identity_provider = "foo.horse"
# Allow everyone who has that identity provider to log in
c.GlobusAuthenticator.allow_all = True
This worked fine prior to JupyterHub 5.0, because allow_all did not take precedence over identity_provider.
Since JupyterHub 5.0, allow_all does take precedence over identity_provider. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider. identity_provider will basically be ignored.
This is a documented change in JupyterHub 5.0,
but is likely to catch many users by surprise.
Patches
OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions.
Workarounds
Do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator in the prior configuration.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ncHJqLTNwNzUtZjk5Ns4AA8-l
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-gprj-3p75-f996, CVE-2024-37300
References:
- https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996
- https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654
- https://nvd.nist.gov/vuln/detail/CVE-2024-37300
- https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users
- https://github.com/advisories/GHSA-gprj-3p75-f996
Blast Radius: 17.2
Affected Packages
pypi:oauthenticator
Dependent packages: 11Dependent repositories: 132
Downloads: 81,906 last month
Affected Version Ranges: < 16.3.1
Fixed in: 16.3.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 14.0.0, 14.1.0, 14.2.0, 15.0.0, 15.0.1, 15.1.0, 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.0.4, 16.0.5, 16.0.6, 16.0.7, 16.1.0, 16.1.1, 16.2.0, 16.2.1, 16.3.0
All unaffected versions: 16.3.1, 17.0.0, 17.1.0