CVE-2024-29033 Affecting py3-oauthenticator package, versions <16.3.0-r0
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-PY3OAUTHENTICATOR-6483178
- published23 Mar 2024
- disclosed20 Mar 2024
Introduced: 20 Mar 2024
CVE-2024-29033 (opens in a new tab)How to fix?
Upgrade Chainguard py3-oauthenticator to version 16.3.0-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream py3-oauthenticator package and not the py3-oauthenticator package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
OAuthenticator provides plugins for JupyterHub to use common OAuth providers, as well as base classes for writing one's own Authenticators with any OAuth 2.0 provider. GoogleOAuthenticator.hosted_domain is used to restrict what Google accounts can be authorized access to a JupyterHub. The restriction is intented to be to Google accounts part of one or more Google organization verified to control specified domain(s). Prior to version 16.3.0, the actual restriction has been to Google accounts with emails ending with the domain. Such accounts could have been created by anyone which at one time was able to read an email associated with the domain. This was described by Dylan Ayrey (@dxa4481) in this [blog post] from 15th December 2023). OAuthenticator 16.3.0 contains a patch for this issue. As a workaround, restrict who can login another way, such as allowed_users or allowed_google_groups.