logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-29033 oauthenticator

Package

Manager: pip
Name: oauthenticator
Vulnerable Version: >=0 <16.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00146 pctl0.35618

Details

GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace ## Summary and impact [`GoogleOAuthenticator.hosted_domain`] is used to restrict what Google accounts can be authorized to access a JupyterHub. The restriction _is intended_ to ensure Google accounts are part of one or more Google organizations/workspaces verified to control specified domain(s). The vulnerability is that the actual restriction has been to Google accounts with emails ending with the domain. Such accounts could have been created by anyone which at one time was able to read an email associated with the domain. This was described by Dylan Ayrey (@dxa4481) in this [blog post] from 15th December 2023. ## Remediation Upgrade to `oauthenticator>=16.3.0` or restrict who can login another way, such as [`allowed_users`] or [`allowed_google_groups`]. [`GoogleOAuthenticator.hosted_domain`]: https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.google.html#oauthenticator.google.GoogleOAuthenticator.hosted_domain [`allowed_users`]: https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.google.html#oauthenticator.google.GoogleOAuthenticator.allowed_users [`allowed_google_groups`]: https://oauthenticator.readthedocs.io/en/latest/reference/api/gen/oauthenticator.google.html#oauthenticator.google.GoogleOAuthenticator.allowed_google_groups [blog post]: https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of/

Metadata

Created: 2024-03-20T18:02:07Z
Modified: 2024-03-20T21:37:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-55m3-44xf-hg4h/GHSA-55m3-44xf-hg4h.json
CWE IDs: ["CWE-285"]
Alternative ID: GHSA-55m3-44xf-hg4h
Finding: F039
Auto approve: 1