CVE-2024-37300
Description
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allow_all did not take precedence over identity_provider. Since JupyterHub 5.0, allow_all does take precedence over identity_provider. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider. identity_provider will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator in the prior configuration.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oauthenticatorPyPI | < 16.3.1 | 16.3.1 |
Patches
1d1aea05fa89fMerge pull request from GHSA-gprj-3p75-f996
1 file changed · +21 −12
oauthenticator/globus.py+21 −12 modified@@ -297,30 +297,39 @@ async def check_allowed(self, username, auth_model): if auth_model is None: return True + if await super().check_allowed(username, auth_model): + return True + + if self.allowed_globus_groups: + user_groups = set(auth_model["auth_state"]["globus_groups"]) + if user_groups & self.allowed_globus_groups: + return True + self.log.warning(f"{username} not in an allowed Globus Group") + + # users should be explicitly allowed via config, otherwise they aren't + return False + + async def check_blocked_users(self, username, authentication): + """Check if the user should be blocked + + Called _before_ checking if the user should be allowed + """ + # any restrictions on access go here - allow config only _grants_ access, + # restrictions belong in the `block` stage # before considering allowing a username by being recognized in a list # of usernames or similar, we must ensure that the authenticated user is # from an allowed identity provider domain. if self.identity_provider: # It's possible for identity provider domains to be namespaced # https://docs.globus.org/api/auth/specification/#identity_provider_namespaces - user_info = auth_model["auth_state"][self.user_auth_state_key] + user_info = authentication["auth_state"][self.user_auth_state_key] user_domain = user_info.get(self.username_claim).split('@', 1)[-1] if user_domain != self.identity_provider: message = f"This site is restricted to {self.identity_provider} accounts. Link your account at app.globus.org/account." self.log.warning(message) raise web.HTTPError(403, message) - if await super().check_allowed(username, auth_model): - return True - - if self.allowed_globus_groups: - user_groups = set(auth_model["auth_state"]["globus_groups"]) - if user_groups & self.allowed_globus_groups: - return True - self.log.warning(f"{username} not in an allowed Globus Group") - - # users should be explicitly allowed via config, otherwise they aren't - return False + return super().check_blocked_users(username, authentication) async def update_auth_model(self, auth_model): """
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-gprj-3p75-f996ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37300ghsaADVISORY
- github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654nvdWEB
- github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996nvdWEB
- jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.htmlnvdWEB
News mentions
0No linked articles in our index yet.