CVE-2020-26250

Name of the Vulnerable Software and Affected Versions oauthenticator versions 0.12.0 through 0.12.1

Description The deprecated configuration Authenticator.whitelist is ignored by OAuthenticator classes, resulting in all authenticated users being allowed if no group or team restrictions are in place. Provider-based restrictions are not affected. Users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 who use the admin.whitelist.users configuration or the c.Authenticator.whitelist configuration directly are affected. A log line indicating that allowed users is not being used may suggest that a system is affected.

Recommendations To resolve the issue for oauthenticator versions 0.12.0 through 0.12.1, update oauthenticator to 0.12.2. As a temporary workaround, replace the deprecated c.Authenticator.whitelist = ... with c.Authenticator.allowed users = .... If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface. In the jupyterhub helm chart prior to 0.10.6, the workaround can be applied via hub.extraConfig by setting allowedUsers and configuring extraConfig to set the allowed users field.