logo

Database

Insufficient data authenticity validation In jupyterhub-ltiauthenticator

Description

LTI JupyterHub Authenticator does not properly validate JWT Signature

Impact

Only users that has configured a JupyterHub installation to use the authenticator class LTI13Authenticator are influenced.

LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities.

Patches

None.

Workarounds

None.

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-255742. NVD-2023-255743. OSV-2023-255744. GHSA-mcgx-2gcr-p3hp5. GCVE-2023-25574

References

1. https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp2. https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L1643. https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-014. https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub-ltiauthenticator/PYSEC-2025-120.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.