CVE-2023-25574: LTI JupyterHub Authenticator does not properly validate JWT Signature
Only users that has configured a JupyterHub installation to use the authenticator class LTI13Authenticator are influenced.
LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn’t validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities.
References
- github.com/advisories/GHSA-mcgx-2gcr-p3hp
- github.com/jupyterhub/ltiauthenticator
- github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py
- github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md
- github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp
- nvd.nist.gov/vuln/detail/CVE-2023-25574
Code Behaviors & Features
Detect and mitigate CVE-2023-25574 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →