CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
15.5%
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with GlobusOAuthenticator
, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allow_all
did not take precedence over identity_provider
. Since JupyterHub 5.0, allow_all
does take precedence over identity_provider
. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider
. identity_provider
will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator
in the prior configuration.
[
{
"vendor": "jupyterhub",
"product": "oauthenticator",
"versions": [
{
"version": "< 16.3.1",
"status": "affected"
}
]
}
]