What is CVE-2024-37300?

CVE-2024-37300 is a high-severity vulnerability in Jupyterhub Oauthenticator, classified under Incorrect Authorization. CVSS score: 8.1/10. Published 2024-06-12.

How severe is CVE-2024-37300?

High severity. CVSS v3 base score is 8.1 out of 10.

Auth bypass in Jupyterhub Oauthenticator

CVE-2024-37300

OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only…

Vulnerability class: Broken Access Control

EPSS: 0.002 (43.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.

Affected products

Jupyterhub Oauthenticator — versions < 16.3.1

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996 (x_refsource_CONFIRM)
https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654 (x_refsource_MISC)
https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-37300?: CVE-2024-37300 is a high-severity vulnerability in Jupyterhub Oauthenticator, classified under Incorrect Authorization. CVSS score: 8.1/10. Published 2024-06-12.
How severe is CVE-2024-37300?: High severity. CVSS v3 base score is 8.1 out of 10.