Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-384W-5V3F-Q499
HistoryDec 01, 2020 - 8:25 p.m.

Base class whitelist configuration ignored in OAuthenticator

2020-12-0120:25:00
Google
osv.dev
12
oauthenticator
whitelist
configuration
ignored
jupyterhub
impact
deprecated
allowed users
authorization
restriction
githuboauthenticator
helm chart
oauthenticator
update
workarounds
documentation
security advisory

EPSS

0.002

Percentile

54.7%

JSON

Impact

What goes wrong?

The deprecated (in jupyterhub 1.2) configuration Authenticator.whitelist, which should be transparently mapped to Authenticator.allowed_users with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as GitHubOAuthenticator.org_whitelist are not affected.

Who is impacted?

All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the admin.whitelist.users configuration in the jupyterhub helm chart or the c.Authenticator.whitelist configuration directly. Users of other deprecated configuration, e.g. c.GitHubOAuthenticator.team_whitelist are not affected.

If you see a log line like this and expect a specific list of allowed usernames:

[I 2020-11-27 16:51:54.528 JupyterHub app:1717] Not using allowed_users. Any authenticated user will be allowed.

you are likely affected.

Patches

  • Replacing deprecated c.Authenticator.whitelist = ... with c.Authenticator.allowed_users = ... avoids the issue.
  • Update oauthenticator to 0.12.2
  • Update jupyterhub helm chart to 0.10.6

If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface, per the documentation.

Workarounds

Replacing c.Authenticator.whitelist = ... with c.Authenticator.allowed_users = ... avoids the issue.

In the jupyterhub helm chart prior to 0.10.6, this can be done via hub.extraConfig:

auth:
  allowedUsers:
  - user1
  - user2

hub:
  extraConfig:
    allowedUsers: |
        # set new field not exposed in helm chart < 0.10.6
        set_config_if_not_none(c.Authenticator, "allowed_users", "auth.allowedUsers")

For more information

If you have any questions or comments about this advisory:

Related

osv 2
cvelist 1
prion 1
cve 1
veracode 1
github 1
nvd 1
osv
osv
CVE-2020-26250
2020-12-01 21:15:14
PYSEC-2020-68
2020-12-01 21:15:00
cvelist
cvelist
CVE-2020-26250 Base class whitelist configuration ignored in OAuthenticator
2020-12-01 20:30:16
prion
prion
Design/Logic Flaw
2020-12-01 21:15:00
cve
cve
CVE-2020-26250
2020-12-01 21:15:14
veracode
veracode
Insecure Access Control
2020-12-02 03:09:42
github
github
Base class whitelist configuration ignored in OAuthenticator
2020-12-01 20:25:00
nvd
nvd
CVE-2020-26250
2020-12-01 21:15:14

EPSS

0.002

Percentile

54.7%

JSON
Related for OSV:GHSA-384W-5V3F-Q499
osv2cvelist1prion1cve1veracode1github1nvd1