CVE-2024-37300: Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0

June 12, 2024

JupyterHub < 5.0, when used with GlobusOAuthenticator, could be configured to allow all users from a particular institution only. The configuration for this would look like:

References

github.com/advisories/GHSA-gprj-3p75-f996
github.com/jupyterhub/oauthenticator
github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654
github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996
nvd.nist.gov/vuln/detail/CVE-2024-37300

Detect and mitigate CVE-2024-37300 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →