CVE-2024-37300

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-37300
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37300.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-37300
Aliases
Related
Published
2024-06-12T16:15:12Z
Modified
2024-07-15T22:12:28.321106Z
Summary
[none]
Details

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because allow_all did not take precedence over identity_provider. Since JupyterHub 5.0, allow_all does take precedence over identity_provider. On a hub with the same config, now all users will be allowed to login, regardless of identity_provider. identity_provider will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator in the prior configuration.

References

Affected packages

Git / github.com/jupyterhub/oauthenticator

Affected ranges

Type
GIT
Repo
https://github.com/jupyterhub/oauthenticator
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.10.0
0.11.0
0.12.0
0.12.1
0.12.3
0.13.0
0.2.0
0.3.0
0.4.0
0.4.1
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.8.2

14.*

14.0.0
14.1.0
14.2.0

15.*

15.0.0
15.0.1
15.1.0

16.*

16.0.0
16.0.1
16.0.2
16.0.3
16.0.4
16.0.5
16.0.6
16.0.7
16.1.0
16.1.1
16.2.0
16.2.1
16.3.0