CVE-2024-37300

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allowall di...

Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0

Impact JupyterHub 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. The configuration for this would look like: python Require users to be using the "foo.horse" identity provider, often an institution or university...

GHSA-GPRJ-3P75-F996 Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0

Impact JupyterHub 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. The configuration for this would look like: python Require users to be using the "foo.horse" identity provider, often an institution or university...

CVE-2024-37300

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allowall di...

CVE-2024-37300 Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allowall di...

CVE-2024-37300

CVE-2024-37300 affects OAuthenticator used with JupyterHub when configured with Globe?osAuthenticator (GlobusOAuthenticator) prior to version 5.0. In JupyterHub 5.0, the setting allow_all takes precedence over identity_provider, which can cause all users from any institution to log in, effectivel...

CVE-2024-37300 Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allowall di...