CVE-2024-37300
Description
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allow_all did not take precedence over identity_provider. Since JupyterHub 5.0, allow_all does take precedence over identity_provider. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider. identity_provider will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator in the prior configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oauthenticatorPyPI | < 16.3.1 | 16.3.1 |
Affected products
14- Range: 0.10.0, 0.11.0, 0.12.0, …
- osv-coords13 versionspkg:apk/chainguard/py3.10-oauthenticatorpkg:apk/chainguard/py3.11-oauthenticatorpkg:apk/chainguard/py3.12-oauthenticatorpkg:apk/chainguard/py3.13-oauthenticatorpkg:apk/chainguard/py3-oauthenticatorpkg:apk/chainguard/py3-supported-oauthenticatorpkg:apk/wolfi/py3.10-oauthenticatorpkg:apk/wolfi/py3.11-oauthenticatorpkg:apk/wolfi/py3.12-oauthenticatorpkg:apk/wolfi/py3.13-oauthenticatorpkg:apk/wolfi/py3-oauthenticatorpkg:apk/wolfi/py3-supported-oauthenticatorpkg:pypi/oauthenticator
< 16.3.1-r0+ 12 more
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1-r0
- (no CPE)range: < 16.3.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-gprj-3p75-f996ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37300ghsaADVISORY
- github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654nvdWEB
- github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996nvdWEB
- jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.htmlnvdWEB
News mentions
0No linked articles in our index yet.