jupyter oauthenticator 授权机制不正确

admin
admin
admin
0
文章
0
评论
2023-12-02 03:58:05 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
中危 jupyter oauthenticator 授权机制不正确

CVE编号

CVE-2020-26250

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-12-02
漏洞描述
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected. All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the `admin.whitelist.users` configuration in the jupyterhub helm chart or the `c.Authenticator.whitelist` configuration directly. Users of other deprecated configuration, e.g. `c.GitHubOAuthenticator.team_whitelist` are **not** affected. If you see a log line like this and expect a specific list of allowed usernames: "[I 2020-11-27 16:51:54.528 JupyterHub app:1717] Not using allowed_users. Any authenticated user will be allowed." you are likely affected. Updating oauthenticator to 0.12.2 is recommended. A workaround is to replace the deprecated `c.Authenticator.whitelist = ...` with `c.Authenticator.allowed_users = ...`. If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface, per the referenced documentation.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://github.com/jupyterhub/oauthenticator/blob/master/docs/source/changelo...
https://github.com/jupyterhub/oauthenticator/commit/a4aac191c16cf6281f3d34661...
https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-384w-5v3f-q499
https://jupyterhub.readthedocs.io/en/1.2.2/getting-started/authenticators-use...
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 jupyter oauthenticator * From (including) 0.12.0 Up to (excluding) 0.12.2
阿里云评分 5.9
  • 攻击路径 本地
  • 攻击复杂度 困难
  • 权限要求 普通权限
  • 影响范围 有限影响
  • EXP成熟度 未验证
  • 补丁情况 官方补丁
  • 数据保密性 无影响
  • 数据完整性 无影响
  • 服务器危害 无影响
  • 全网数量 N/A
CWE-ID 漏洞类型
CWE-863 授权机制不正确
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
N/A Ali_nvd

N/A

N/ACVE编号 CVE-2024-9120利用情况 暂无补丁情况 N/A披露时间 2024-09-23漏洞描述Use after free in Dawn
09-260 评论
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0