Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/oauthenticator@0.6.2
Typepypi
Namespace
Nameoauthenticator
Version0.6.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version16.3.1
Latest_non_vulnerable_version17.4.0
Affected_by_vulnerabilities
0
url VCID-f12e-7kyd-cyhg
vulnerability_id VCID-f12e-7kyd-cyhg
summary OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowed_idps configuration trait of CILogonOAuthenticator is documented to be a list of domains that indicate the institutions whose users are authorized to access this JupyterHub. This authorization is validated by ensuring that the *email* field provided to us by CILogon has a *domain* that matches one of the domains listed in `allowed_idps`.If `allowed_idps` contains `berkeley.edu`, you might expect only users with valid current credentials provided by University of California, Berkeley to be able to access the JupyterHub. However, CILogonOAuthenticator does *not* verify which provider is used by the user to login, only the email address provided. So a user can login with a GitHub account that has email set to `<something>@berkeley.edu`, and that will be treated exactly the same as someone logging in using the UC Berkeley official Identity Provider. The patch fixing this issue makes a *breaking change* in how `allowed_idps` is interpreted. It's no longer a list of domains, but configuration representing the `EntityID` of the IdPs that are allowed, picked from the [list maintained by CILogon](https://cilogon.org/idplist/). Users are advised to upgrade.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-31027
reference_id
reference_type
scores
0
value 0.00267
scoring_system epss
scoring_elements 0.50407
published_at 2026-06-05T12:55:00Z
1
value 0.00267
scoring_system epss
scoring_elements 0.50346
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-31027
1
reference_url https://github.com/jupyterhub/oauthenticator
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/jupyterhub/oauthenticator
2
reference_url https://github.com/jupyterhub/oauthenticator/commit/5cd2d1816f90dc5c946e6e38fd2d0ba535624c5c
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/jupyterhub/oauthenticator/commit/5cd2d1816f90dc5c946e6e38fd2d0ba535624c5c
3
reference_url https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-r7v4-jwx9-wx43
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:05:56Z/
url https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-r7v4-jwx9-wx43
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2022-206.yaml
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2022-206.yaml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-31027
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-31027
6
reference_url https://github.com/advisories/GHSA-r7v4-jwx9-wx43
reference_id GHSA-r7v4-jwx9-wx43
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r7v4-jwx9-wx43
fixed_packages
0
url pkg:pypi/oauthenticator@15.0.0
purl pkg:pypi/oauthenticator@15.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-sfqk-pqmp-nkfj
1
vulnerability VCID-zb4n-rxh3-bbd9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@15.0.0
aliases CVE-2022-31027, GHSA-r7v4-jwx9-wx43, GMS-2022-1894, PYSEC-2022-206
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f12e-7kyd-cyhg
1
url VCID-sfqk-pqmp-nkfj
vulnerability_id VCID-sfqk-pqmp-nkfj
summary 
Globus `identity_provider` restriction ignored when used with `allow_all` in JupyterHub 5.0
JupyterHub < 5.0, when used with `GlobusOAuthenticator`, could be configured to allow all users from a particular institution only. The configuration for this would look like:

```python
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-37300
reference_id
reference_type
scores
0
value 0.00209
scoring_system epss
scoring_elements 0.43316
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-37300
1
reference_url https://github.com/jupyterhub/oauthenticator
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jupyterhub/oauthenticator
2
reference_url https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T18:00:57Z/
url https://github.com/jupyterhub/oauthenticator/commit/d1aea05fa89f2beae15ab0fa0b0d071030f79654
3
reference_url https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T18:00:57Z/
url https://jupyterhub.readthedocs.io/en/stable/howto/upgrading-v5.html#authenticator-allow-all-and-allow-existing-users
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-37300
reference_id CVE-2024-37300
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-37300
5
reference_url https://github.com/advisories/GHSA-gprj-3p75-f996
reference_id GHSA-gprj-3p75-f996
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gprj-3p75-f996
6
reference_url https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996
reference_id GHSA-gprj-3p75-f996
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-12T18:00:57Z/
url https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-gprj-3p75-f996
fixed_packages
0
url pkg:pypi/oauthenticator@16.3.1
purl pkg:pypi/oauthenticator@16.3.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@16.3.1
aliases CVE-2024-37300, GHSA-gprj-3p75-f996
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sfqk-pqmp-nkfj
2
url VCID-zb4n-rxh3-bbd9
vulnerability_id VCID-zb4n-rxh3-bbd9
summary 
GoogleOAuthenticator.hosted_domain incorrectly verifies membership of an Google organization/workspace
[`GoogleOAuthenticator.hosted_domain`] is used to restrict what Google accounts can be authorized to access a JupyterHub. The restriction _is intended_ to ensure Google accounts are part of one or more Google organizations/workspaces verified to control specified domain(s).

The vulnerability is that the actual restriction has been to Google accounts with emails ending with the domain. Such accounts could have been created by anyone which at one time was able to read an email associated with the domain. This was described by Dylan Ayrey (@dxa4481) in this [blog post] from 15th December 2023.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-29033
reference_id
reference_type
scores
0
value 0.00276
scoring_system epss
scoring_elements 0.51283
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-29033
1
reference_url https://github.com/jupyterhub/oauthenticator
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jupyterhub/oauthenticator
2
reference_url https://github.com/jupyterhub/oauthenticator/commit/5246b09675501b09fb6ed64022099b7644812f60
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-21T16:20:15Z/
url https://github.com/jupyterhub/oauthenticator/commit/5246b09675501b09fb6ed64022099b7644812f60
3
reference_url https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-21T16:20:15Z/
url https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-29033
reference_id CVE-2024-29033
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-29033
5
reference_url https://github.com/advisories/GHSA-55m3-44xf-hg4h
reference_id GHSA-55m3-44xf-hg4h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-55m3-44xf-hg4h
6
reference_url https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-55m3-44xf-hg4h
reference_id GHSA-55m3-44xf-hg4h
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-21T16:20:15Z/
url https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-55m3-44xf-hg4h
fixed_packages
0
url pkg:pypi/oauthenticator@16.3.0
purl pkg:pypi/oauthenticator@16.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-sfqk-pqmp-nkfj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@16.3.0
aliases CVE-2024-29033, GHSA-55m3-44xf-hg4h
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zb4n-rxh3-bbd9
Fixing_vulnerabilities
0
url VCID-zn45-t3yy-p7gf
vulnerability_id VCID-zn45-t3yy-p7gf
summary An issue was discovered in Project Jupyter JupyterHub OAuthenticator 0.6.x before 0.6.2 and 0.7.x before 0.7.3. When using JupyterHub with GitLab group whitelisting for access control, group membership was not checked correctly, allowing members not in the whitelisted groups to create accounts on the Hub. (Users were not allowed to access other users' accounts, but could create their own accounts on the Hub linked to their GitLab account. GitLab authentication not using gitlab_group_whitelist is unaffected. No other Authenticators are affected.)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-7206
reference_id
reference_type
scores
0
value 0.00651
scoring_system epss
scoring_elements 0.71258
published_at 2026-06-04T12:55:00Z
1
value 0.00651
scoring_system epss
scoring_elements 0.71302
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-7206
1
reference_url https://blog.jupyter.org/security-fix-for-jupyterhub-gitlab-oauthenticator-7b14571d1f76
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://blog.jupyter.org/security-fix-for-jupyterhub-gitlab-oauthenticator-7b14571d1f76
2
reference_url https://github.com/advisories/GHSA-8x3m-m3x9-54fj
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-8x3m-m3x9-54fj
3
reference_url https://github.com/jupyterhub/oauthenticator
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jupyterhub/oauthenticator
4
reference_url https://github.com/jupyterhub/oauthenticator/blob/8499dc2/CHANGELOG.md#073---2018-02-16
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jupyterhub/oauthenticator/blob/8499dc2/CHANGELOG.md#073---2018-02-16
5
reference_url https://github.com/jupyterhub/oauthenticator/commit/1845c0e4b1bff3462c91c3108c85205acd3c75a2
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jupyterhub/oauthenticator/commit/1845c0e4b1bff3462c91c3108c85205acd3c75a2
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2018-151.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/jupyterhub/PYSEC-2018-151.yaml
7
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2018-68.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/pypa/advisory-database/tree/main/vulns/oauthenticator/PYSEC-2018-68.yaml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-7206
reference_id CVE-2018-7206
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-7206
fixed_packages
0
url pkg:pypi/oauthenticator@0.6.2
purl pkg:pypi/oauthenticator@0.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-f12e-7kyd-cyhg
1
vulnerability VCID-sfqk-pqmp-nkfj
2
vulnerability VCID-zb4n-rxh3-bbd9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@0.6.2
1
url pkg:pypi/oauthenticator@0.7.3
purl pkg:pypi/oauthenticator@0.7.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-f12e-7kyd-cyhg
1
vulnerability VCID-sfqk-pqmp-nkfj
2
vulnerability VCID-zb4n-rxh3-bbd9
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@0.7.3
aliases CVE-2018-7206, GHSA-8x3m-m3x9-54fj, PYSEC-2018-151, PYSEC-2018-68
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zn45-t3yy-p7gf
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/oauthenticator@0.6.2