Critical severityNVD Advisory· Published Feb 25, 2025· Updated Feb 25, 2025
JupyterHub's LTI13Authenticator: JWT signature not validated
CVE-2023-25574
Description
jupyterhub-ltiauthenticator is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class LTI13Authenticator are affected. jupyterhub-ltiauthenticator version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyterhub-ltiauthenticatorPyPI | >= 1.3.0, < 1.4.0 | 1.4.0 |
Affected products
1- Range: = 1.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-mcgx-2gcr-p3hpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25574ghsaADVISORY
- github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.pyghsax_refsource_MISCWEB
- github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.