Security Flaw in JupyterHub LTI Authenticator Affecting Learning Tools Integration
CVE-2023-25574

10CRITICAL

Key Information:

Vendor
Jupyterhub
Status
Ltiauthenticator
Vendor
CVE Published:
25 February 2025

Summary

A vulnerability exists in the JupyterHub jupyterhub-ltiauthenticator, specifically in version 1.3.0, where the LTI13Authenticator does not properly validate JWT signatures. This oversight could lead to unauthorized authorization of forged requests, posing a significant risk to JupyterHub installations utilizing this authenticator class. Users are advised to update to version 1.4.0, which eliminates the LTI13Authenticator to mitigate this security issue. Unfortunately, no known workarounds are available for those on affected versions.

Affected Version(s)

ltiauthenticator = 1.3.0

References

https://github.com/jupyterhub/ltiauthenticator/security/a...
x_refsource_CONFIRM
https://github.com/jupyterhub/ltiauthenticator/blob/3feec...
x_refsource_MISC
https://github.com/jupyterhub/ltiauthenticator/blob/main/...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.