漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
Vulnerability Description
OAuthenticator is software that allows OAuth2 identity providers to be plugged in and used with JupyterHub. JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. This worked fine prior to JupyterHub 5.0, because `allow_all` did not take precedence over `identity_provider`. Since JupyterHub 5.0, `allow_all` does take precedence over `identity_provider`. On a hub with the same config, now all users will be allowed to login, regardless of `identity_provider`. `identity_provider` will basically be ignored. This is a documented change in JupyterHub 5.0, but is likely to catch many users by surprise. OAuthenticator 16.3.1 fixes the issue with JupyterHub 5.0, and does not affect previous versions. As a workaround, do not upgrade to JupyterHub 5.0 when using `GlobusOAuthenticator` in the prior configuration.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
授权机制不正确
Vulnerability Title
OAuthenticator 安全漏洞
Vulnerability Description
OAuthenticator是JupyerHub 登录处理程序的 OAuth 令牌库。 OAuthenticator 16.3.0及之前版本存在安全漏洞,该漏洞源于allow_all配置项在JupyterHub 5.0中开始优先于identity_provider配置项,导致所有用户都能登录,而不考虑identity_provider的设置。
CVSS Information
N/A
Vulnerability Type
N/A