CVE-2024-37300 - OpenCVE

Link	Resource
https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654
https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996
https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37300", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-05T20:10:46.497Z", "datePublished": "2024-06-12T15:20:20.363Z", "dateUpdated": "2024-06-12T18:01:08.137Z"}, "containers": {"cna": {"title": "Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996"}, {"name": "https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654", "tags": ["x_refsource_MISC"], "url": "https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654"}, {"name": "https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users", "tags": ["x_refsource_MISC"], "url": "https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users"}], "affected": [{"vendor": "jupyterhub", "product": "oauthenticator", "versions": [{"version": "< 16.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-12T15:20:20.363Z"}, "descriptions": [{"lang": "en", "value": "OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because `allow_all` did not take precedence over `identity_provider`. Since JupyterHub 5.0, `allow_all` does take precedence over `identity_provider`. On a hub with the same config, now all users will be allowed to login, regardless of `identity_provider`. `identity_provider` will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using `GlobusOAuthenticator` in the prior configuration."}], "source": {"advisory": "GHSA-gprj-3p75-f996", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T18:00:57.680016Z", "id": "CVE-2024-37300", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T18:01:08.137Z"}}]}}

{"descriptions": [{"lang": "en", "value": "OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because `allow_all` did not take precedence over `identity_provider`. Since JupyterHub 5.0, `allow_all` does take precedence over `identity_provider`. On a hub with the same config, now all users will be allowed to login, regardless of `identity_provider`. `identity_provider` will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using `GlobusOAuthenticator` in the prior configuration."}, {"lang": "es", "value": "OAuthenticator es un software que permite conectar y utilizar proveedores de identidad OAuth2 con JupyterHub. JupyterHub < 5.0, cuando se usa con `GlobusOAuthenticator`, se puede configurar para permitir solo a todos los usuarios de una instituci\u00f3n en particular. Esto funcion\u00f3 bien antes de JupyterHub 5.0, porque \"allow_all\" no ten\u00eda prioridad sobre \"identity_provider\". Desde JupyterHub 5.0, \"allow_all\" tiene prioridad sobre \"identity_provider\". En un centro con la misma configuraci\u00f3n, ahora todos los usuarios podr\u00e1n iniciar sesi\u00f3n, independientemente del `identity_provider`. B\u00e1sicamente, `identity_provider` ser\u00e1 ignorado. Este es un cambio documentado en JupyterHub 5.0, pero es probable que tome por sorpresa a muchos usuarios. OAuthenticator 16.3.1 soluciona el problema con JupyterHub 5.0 y no afecta a las versiones anteriores. Como workaround, no actualice a JupyterHub 5.0 cuando utilice `GlobusOAuthenticator` en la configuraci\u00f3n anterior."}], "id": "CVE-2024-37300", "lastModified": "2024-06-13T18:36:09.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-12T16:15:12.097", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654"}, {"source": "security-advisories@github.com", "url": "https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996"}, {"source": "security-advisories@github.com", "url": "https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

JSON object

JSON object

JSON object