CVE-2022-31027

Name of the Vulnerable Software and Affected Versions CILogonOAuthenticator versions prior to 15.0.0

Description The issue concerns the authorization mechanism in CILogonOAuthenticator, which is used to restrict access to a JupyterHub based on the user's institution. The allowed idps configuration trait is intended to list the domains of authorized institutions, but it only verifies the email address provided by CILogon, not the identity provider used. This means a user can access the JupyterHub with a GitHub account that has an email address matching the authorized domain, even if their access to the institution's identity provider has been revoked. The patch for this issue changes how allowed idps is interpreted, now requiring the EntityID of allowed identity providers.

Recommendations For versions prior to 15.0.0, upgrade to version 15.0.0 or above and update the allowed idps configuration to use the EntityID of the allowed identity providers, as specified in the migration documentation. As a temporary workaround, consider restricting access to the JupyterHub until the patch can be applied.