79 matches found
GHSA-55M3-44XF-HG4H vulnerabilities
Vulnerabilities for packages: py3-oauthenticator...
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace
Summary and impact GoogleOAuthenticator.hosteddomain is used to restrict what Google accounts can be authorized to access a JupyterHub. The restriction is intended to ensure Google accounts are part of one or more Google organizations/workspaces verified to control specified domains. The...
OAuthenticator 安全漏洞
OAuthenticator is an OAuth token library for the JupyerHub login handler. A security vulnerability exists in OAuthenticator versions prior to 16.3.0 that stems from incorrectly validating membership...
PT-2024-22686
Name of the Vulnerable Software and Affected Versions oauthenticator versions prior to 16.3.0 Description The issue is related to the GoogleOAuthenticator.hosted domain parameter, which is intended to restrict access to Google accounts that are part of one or more Google organizations verified to...
CVE-2022-31027
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowedidps...
Authorization
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowedidps...
keycloakauthenticator (>=3.0.0 <=3.1.0), ssb-ipython-kernels (>=0.2.25 <=0.3.2) potentially affected by CVE-2022-31027 via oauthenticator (>=14.0.0 <=14.2.0)
oauthenticator PYPI version =14.0.0, =3.0.0, =0.2.25, =0.3.2 Source cves: CVE-2022-31027 Source advisory: OSV:PYSEC-2022-206...
PYSEC-2022-206
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowedidps...
OAuthenticator 安全漏洞
OAuthenticator is an OAuth token library for the JupyerHub login handler. A security vulnerability exists in OAuthenticator version 14.2.0 and earlier, which stems from CILogon, a federated authentication provider that allows users to authenticate with multiple identity providers IdPs...
Authorization Bypass
oauthenticator is vulnerable to authorization bypass. The vulnerability exists because CILogonOAuthenticator doesn't properly validate the email address which allows an attacker to get access to the JupyterHub...
Authorization Bypass Through User-Controlled Key when using CILogonOAuthenticator oauthenticator
Background CILogon is a federated auth provider that allows users to authenticate themselves via a number of Identity Providers IdP, focused primarily on educational and research institutions such as Universities. More traditional and open IdPs such as GitHub, ORCID, Google, Microsoft, etc are al...
keycloakauthenticator (>=3.0.0 <=3.1.0), ssb-ipython-kernels (>=0.2.25 <=0.3.2) potentially affected by CVE-2022-31027 via oauthenticator (>=14.0.0 <=14.2.0)
oauthenticator PYPI version =14.0.0, =3.0.0, =0.2.25, =0.3.2 Source cves: CVE-2022-31027 Source advisory: OSV:GHSA-R7V4-JWX9-WX43...
GHSA-R7V4-JWX9-WX43 Authorization Bypass Through User-Controlled Key when using CILogonOAuthenticator oauthenticator
Background CILogon is a federated auth provider that allows users to authenticate themselves via a number of Identity Providers IdP, focused primarily on educational and research institutions such as Universities. More traditional and open IdPs such as GitHub, ORCID, Google, Microsoft, etc are al...
CVE-2022-31027 Authorization Bypass Through User-Controlled Key when using CILogonOAuthenticator in oauthenticator
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowedidps...
CVE-2022-31027 Authorization Bypass Through User-Controlled Key when using CILogonOAuthenticator in oauthenticator
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowedidps...
CVE-2022-31027
CVE-2022-31027 affects the OAuthenticator/CILogonOAuthenticator used by JupyterHub. The root cause is that allowed_idps is validated only by email domain, not by IdP (provider) identity, allowing login via an alternate IdP with a @domained email (e.g., berkeley.edu) to bypass intended restriction...
GHSA-8X3M-M3X9-54FJ JupyterHub OAuthenticator elevation of privilege
An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on...
JupyterHub OAuthenticator elevation of privilege
An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on...
Insecure Access Control
oauthenticator uses insecure access control. The deprecated configuration Authenticator.whitelist, which should be transparently mapped to Authenticator.allowedusers with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been...
CVE-2020-26250
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated in jupyterhub 1.2 configuration Authenticator.whitelist, which should be transparently mapped to Authenticator.allowedusers with a warning, is instead ignored by...