CVE-2024-29033 Affecting py3-oauthenticator package, versions <16.3.0-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.05% (19th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-PY3OAUTHENTICATOR-6483178
  • published23 Mar 2024
  • disclosed20 Mar 2024

Introduced: 20 Mar 2024

CVE-2024-29033  (opens in a new tab)

How to fix?

Upgrade Chainguard py3-oauthenticator to version 16.3.0-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream py3-oauthenticator package and not the py3-oauthenticator package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

OAuthenticator provides plugins for JupyterHub to use common OAuth providers, as well as base classes for writing one's own Authenticators with any OAuth 2.0 provider. GoogleOAuthenticator.hosted_domain is used to restrict what Google accounts can be authorized access to a JupyterHub. The restriction is intented to be to Google accounts part of one or more Google organization verified to control specified domain(s). Prior to version 16.3.0, the actual restriction has been to Google accounts with emails ending with the domain. Such accounts could have been created by anyone which at one time was able to read an email associated with the domain. This was described by Dylan Ayrey (@dxa4481) in this [blog post] from 15th December 2023). OAuthenticator 16.3.0 contains a patch for this issue. As a workaround, restrict who can login another way, such as allowed_users or allowed_google_groups.