CVE-2024-37300
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-37300
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37300.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-37300
- Aliases
- Related
- Published
- 2024-06-12T15:20:20.363Z
- Modified
- 2025-12-05T05:06:43.956627Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
- Details
-
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with
GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, becauseallow_alldid not take precedence overidentity_provider. Since JupyterHub 5.0,allow_alldoes take precedence overidentity_provider. On a hub with the same config, now all users will be allowed to login, regardless ofidentity_provider.identity_providerwill basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when usingGlobusOAuthenticatorin the prior configuration. - Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37300.json", "cwe_ids": [ "CWE-863" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/37xxx/CVE-2024-37300.json
- https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654
- https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996
- https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users
- https://nvd.nist.gov/vuln/detail/CVE-2024-37300