CVE-2024-29033

Name of the Vulnerable Software and Affected Versions oauthenticator versions prior to 16.3.0

Description The issue is related to the GoogleOAuthenticator.hosted domain parameter, which is intended to restrict access to Google accounts that are part of one or more Google organizations verified to control specified domain(s). However, prior to version 16.3.0, the actual restriction was to Google accounts with emails ending with the domain, allowing accounts created by anyone who could read an email associated with the domain to access the system. This was described by Dylan Ayrey in a blog post from 15th December 2023. OAuthenticator 16.3.0 contains a patch for this issue.

Recommendations For versions prior to 16.3.0, upgrade to oauthenticator version 16.3.0 or later. As a temporary workaround, restrict who can login another way, such as using allowed users or allowed google groups.