8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with GlobusOAuthenticator
, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allow_all
did not take precedence over identity_provider
. Since JupyterHub 5.0, allow_all
does take precedence over identity_provider
. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider
. identity_provider
will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator
in the prior configuration.
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%