CVE-2023-25574

Summary

jupyterhub-ltiauthenticator is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class LTI13Authenticator are affected. jupyterhub-ltiauthenticator version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.

Affected Software

VendorProductVersion RangeStatus
jupyterhubltiauthenticator= 1.3.0affected

Weaknesses

  • CWE-347: CWE-347: Improper Verification of Cryptographic Signature

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References