Georgiana Elena

**Name of the Vulnerable Software and Affected Versions** CILogonOAuthenticator versions prior to 15.0.0 **Description** The issue concerns the authorization mechanism in CILogonOAuthenticator, which is used to restrict access to a JupyterHub based on the user's institution. The `allowed idps` configuration trait is intended to list the domains of authorized institutions, but it only verifies the email address provided by CILogon, not the identity provider used. This means a user can access the JupyterHub with a GitHub account that has an email address matching the authorized domain, even if their access to the institution's identity provider has been revoked. The patch for this issue changes how `allowed idps` is interpreted, now requiring the `EntityID` of allowed identity providers. **Recommendations** For versions prior to 15.0.0, upgrade to version 15.0.0 or above and update the `allowed idps` configuration to use the `EntityID` of the allowed identity providers, as specified in the migration documentation. As a temporary workaround, consider restricting access to the JupyterHub until the patch can be applied.