CVE-2024-37300

Name of the Vulnerable Software and Affected Versions JupyterHub versions prior to 5.0 OAuthenticator version prior to 16.3.1

Description The issue arises from a change in JupyterHub 5.0 where the allow all parameter takes precedence over the identity provider parameter when using GlobusOAuthenticator. This change can cause all users to be allowed to log in, regardless of their identity provider, if the configuration allows all users from a particular institution. This is a documented change in JupyterHub 5.0 but may catch many users by surprise.

Recommendations For JupyterHub versions prior to 5.0, consider upgrading to OAuthenticator 16.3.1 to fix the issue. For OAuthenticator version prior to 16.3.1, do not upgrade to JupyterHub 5.0 when using GlobusOAuthenticator in the prior configuration. As a temporary workaround, avoid using the allow all parameter in conjunction with the identity provider parameter until the issue is resolved.