Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/oauthenticator@0.6.1

Type pypi

Namespace

Name oauthenticator

Version 0.6.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 15.0.0

Latest_non_vulnerable_version 17.4.0

Affected_by_vulnerabilities

url VCID-f12e-7kyd-cyhg

vulnerability_id VCID-f12e-7kyd-cyhg

summary OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowed_idps configuration trait of CILogonOAuthenticator is documented to be a list of domains that indicate the institutions whose users are authorized to access this JupyterHub. This authorization is validated by ensuring that the *email* field provided to us by CILogon has a *domain* that matches one of the domains listed in `allowed_idps`.If `allowed_idps` contains `berkeley.edu`, you might expect only users with valid current credentials provided by University of California, Berkeley to be able to access the JupyterHub. However, CILogonOAuthenticator does *not* verify which provider is used by the user to login, only the email address provided. So a user can login with a GitHub account that has email set to `<something>@berkeley.edu`, and that will be treated exactly the same as someone logging in using the UC Berkeley official Identity Provider. The patch fixing this issue makes a *breaking change* in how `allowed_idps` is interpreted. It's no longer a list of domains, but configuration representing the `EntityID` of the IdPs that are allowed, picked from the [list maintained by CILogon](https://cilogon.org/idplist/). Users are advised to upgrade.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-31027

reference_id

reference_type

scores

value	0.00267
scoring_system	epss
scoring_elements	0.50346
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-31027

reference_url

https://github.com/jupyterhub/oauthenticator

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/oauthenticator

reference_url

https://github.com/jupyterhub/oauthenticator/commit/5cd2d1816f90dc5c946e6e38fd2d0ba535624c5c

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/oauthenticator/commit/5cd2d1816f90dc5c946e6e38fd2d0ba535624c5c

reference_url

https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-r7v4-jwx9-wx43

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-r7v4-jwx9-wx43

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2022-206.yaml

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2022-206.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-31027

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-31027

fixed_packages

url	pkg:pypi/oauthenticator@15.0.0
purl	pkg:pypi/oauthenticator@15.0.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@15.0.0

aliases CVE-2022-31027, GHSA-r7v4-jwx9-wx43, PYSEC-2022-206

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f12e-7kyd-cyhg

url VCID-zn45-t3yy-p7gf

vulnerability_id VCID-zn45-t3yy-p7gf

summary An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on the Hub. (Users were not allowed to access other users' accounts, but could create their own accounts on the Hub linked to their GitLab account. GitLab authentication not using gitlab_group_whitelist is unaffected. No other Authenticators are affected.)

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-7206

reference_id

reference_type

scores

value	0.00651
scoring_system	epss
scoring_elements	0.71258
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-7206

reference_url

https://blog.jupyter.org/security-fix-for-jupyterhub-gitlab-oauthenticator-7b14571d1f76

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://blog.jupyter.org/security-fix-for-jupyterhub-gitlab-oauthenticator-7b14571d1f76

reference_url

https://github.com/advisories/GHSA-8x3m-m3x9-54fj

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-8x3m-m3x9-54fj

reference_url

https://github.com/jupyterhub/oauthenticator

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/oauthenticator

reference_url

https://github.com/jupyterhub/oauthenticator/blob/8499dc2/CHANGELOG.md#073---2018-02-16

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/oauthenticator/blob/8499dc2/CHANGELOG.md#073---2018-02-16

reference_url

https://github.com/jupyterhub/oauthenticator/commit/1845c0e4b1bff3462c91c3108c85205acd3c75a2

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jupyterhub/oauthenticator/commit/1845c0e4b1bff3462c91c3108c85205acd3c75a2

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2018-151.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2018-151.yaml

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2018-68.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2018-68.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-7206

reference_id

CVE-2018-7206

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-7206

fixed_packages

url pkg:pypi/oauthenticator@0.6.2

purl pkg:pypi/oauthenticator@0.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-f12e-7kyd-cyhg

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@0.6.2

url pkg:pypi/oauthenticator@0.7.3

purl pkg:pypi/oauthenticator@0.7.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-f12e-7kyd-cyhg

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@0.7.3

aliases CVE-2018-7206, GHSA-8x3m-m3x9-54fj, PYSEC-2018-151, PYSEC-2018-68

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zn45-t3yy-p7gf

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@0.6.1

Package Instance