OAuth2 Identity Provider Configuration Flaw in JupyterHub by Jupyter Project
CVE-2024-37300
Currently unrated
What is CVE-2024-37300?
A configuration issue exists in JupyterHub with OAuth2 identity providers when used with GlobusOAuthenticator. In versions prior to 5.0, settings allowed institutions to restrict user access effectively. However, post upgrade to JupyterHub 5.0, the introduction of a precedence rule means the previous restrictions based on identity providers are ignored, potentially allowing unintended access to all users. Users should refrain from upgrading to JupyterHub 5.0 while maintaining the prior setup with GlobusOAuthenticator, or upgrade to OAuthenticator version 16.3.1 for a resolution.