CVE-2020-26250: Incorrect Authorization
(updated )
In oauthenticator, the deprecated (in jupyterhub ) configuration Authenticator.whitelist, which should be transparently mapped to Authenticator.allowed_users with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set.
References
- github.com/advisories/GHSA-384w-5v3f-q499
- github.com/jupyterhub/oauthenticator
- github.com/jupyterhub/oauthenticator/blob/master/docs/source/changelog.md
- github.com/jupyterhub/oauthenticator/commit/a4aac191c16cf6281f3d346615aefa75702b02d7
- github.com/jupyterhub/oauthenticator/security/advisories/GHSA-384w-5v3f-q499
- github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2020-68.yaml
- jupyterhub.readthedocs.io/en/1.2.2/getting-started/authenticators-users-basics.html
- nvd.nist.gov/vuln/detail/CVE-2020-26250
Code Behaviors & Features
Detect and mitigate CVE-2020-26250 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →