CVE-2022-31027: CWE-639: Authorization Bypass Through User-Controlled Key in jupyterhub oauthenticator
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowed_idps configuration trait of CILogonOAuthenticator is documented to be a list of domains that indicate the institutions whose users are authorized to access this JupyterHub. This authorization is validated by ensuring that the *email* field provided to us by CILogon has a *domain* that matches one of the domains listed in `allowed_idps`.If `allowed_idps` contains `berkeley.edu`, you might expect only users with valid current credentials provided by University of California, Berkeley to be able to access the JupyterHub. However, CILogonOAuthenticator does *not* verify which provider is used by the user to login, only the email address provided. So a user can login with a GitHub account that has email set to `<something>@berkeley.edu`, and that will be treated exactly the same as someone logging in using the UC Berkeley official Identity Provider. The patch fixing this issue makes a *breaking change* in how `allowed_idps` is interpreted. It's no longer a list of domains, but configuration representing the `EntityID` of the IdPs that are allowed, picked from the [list maintained by CILogon](https://cilogon.org/idplist/). Users are advised to upgrade.
AI Analysis
Technical Summary
CVE-2022-31027 is a medium-severity authorization bypass vulnerability affecting versions of the OAuthenticator library for JupyterHub prior to 15.0.0. OAuthenticator is an OAuth token library used by JupyterHub to handle user authentication, with CILogonOAuthenticator enabling login via CILogon, a federated identity provider service primarily used to restrict access to JupyterHub instances to users from specific institutions. The vulnerability arises from the way the allowed_idps configuration trait is implemented. This trait is intended to restrict access based on the domain of the user's email address as provided by CILogon. For example, if allowed_idps is set to include "berkeley.edu", only users with email addresses from that domain should be authorized. However, the implementation does not verify the actual identity provider (IdP) used for login, only the email domain. Consequently, an attacker can authenticate using a third-party OAuth provider such as GitHub, setting their email to an address within the allowed domain (e.g., attacker@berkeley.edu), thereby bypassing the intended authorization checks. This flaw allows unauthorized users to gain access to JupyterHub instances restricted to certain institutions, potentially exposing sensitive computational resources and data. The fix introduced in version 15.0.0 changes the interpretation of allowed_idps from a list of email domains to a list of IdP EntityIDs from CILogon's maintained list, ensuring that only users authenticated through the specified trusted identity providers are granted access. This change is breaking and requires administrators to update their configurations accordingly. No known exploits have been reported in the wild, but the vulnerability poses a significant risk to environments relying on domain-based authorization without verifying the actual IdP. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).
Potential Impact
For European organizations, especially academic and research institutions that deploy JupyterHub for collaborative computational environments, this vulnerability can lead to unauthorized access by attackers masquerading as legitimate users from trusted institutions. Such unauthorized access could result in exposure or manipulation of sensitive research data, intellectual property theft, or misuse of computational resources. Since JupyterHub often integrates with institutional identity providers to enforce access control, the bypass undermines trust in federated authentication mechanisms. The impact extends to any European organizations using OAuthenticator with CILogonOAuthenticator configured based on email domain filtering rather than strict IdP verification. This could affect universities, research consortia, and public sector entities relying on JupyterHub for data analysis and scientific computing. The breach of confidentiality and integrity of data is the primary concern, while availability impact is limited unless attackers intentionally disrupt services after gaining access. Given the collaborative nature of JupyterHub environments, unauthorized users could also perform malicious actions under the guise of legitimate users, complicating incident response and attribution.
Mitigation Recommendations
European organizations using JupyterHub with OAuthenticator should immediately upgrade to version 15.0.0 or later, which enforces IdP EntityID verification rather than relying solely on email domain matching. Administrators must revise their allowed_idps configuration to specify the exact trusted IdP EntityIDs as listed by CILogon (https://cilogon.org/idplist/), ensuring that only users authenticated through these providers gain access. Additionally, organizations should audit existing JupyterHub deployments to identify any instances running vulnerable versions and verify that no unauthorized accounts have been created. Implementing multi-factor authentication (MFA) at the IdP level can further reduce risk. Logging and monitoring of authentication events should be enhanced to detect anomalous login patterns, such as unexpected OAuth providers or email domain mismatches. Where possible, organizations should consider integrating additional identity verification mechanisms or restricting OAuth providers to trusted sources only. Finally, user education about the risks of using third-party OAuth providers with institutional email addresses can help mitigate social engineering attempts exploiting this vulnerability.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Switzerland, Italy, Spain, Belgium, Denmark
CVE-2022-31027: CWE-639: Authorization Bypass Through User-Controlled Key in jupyterhub oauthenticator
Description
OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowed_idps configuration trait of CILogonOAuthenticator is documented to be a list of domains that indicate the institutions whose users are authorized to access this JupyterHub. This authorization is validated by ensuring that the *email* field provided to us by CILogon has a *domain* that matches one of the domains listed in `allowed_idps`.If `allowed_idps` contains `berkeley.edu`, you might expect only users with valid current credentials provided by University of California, Berkeley to be able to access the JupyterHub. However, CILogonOAuthenticator does *not* verify which provider is used by the user to login, only the email address provided. So a user can login with a GitHub account that has email set to `<something>@berkeley.edu`, and that will be treated exactly the same as someone logging in using the UC Berkeley official Identity Provider. The patch fixing this issue makes a *breaking change* in how `allowed_idps` is interpreted. It's no longer a list of domains, but configuration representing the `EntityID` of the IdPs that are allowed, picked from the [list maintained by CILogon](https://cilogon.org/idplist/). Users are advised to upgrade.
AI-Powered Analysis
Technical Analysis
CVE-2022-31027 is a medium-severity authorization bypass vulnerability affecting versions of the OAuthenticator library for JupyterHub prior to 15.0.0. OAuthenticator is an OAuth token library used by JupyterHub to handle user authentication, with CILogonOAuthenticator enabling login via CILogon, a federated identity provider service primarily used to restrict access to JupyterHub instances to users from specific institutions. The vulnerability arises from the way the allowed_idps configuration trait is implemented. This trait is intended to restrict access based on the domain of the user's email address as provided by CILogon. For example, if allowed_idps is set to include "berkeley.edu", only users with email addresses from that domain should be authorized. However, the implementation does not verify the actual identity provider (IdP) used for login, only the email domain. Consequently, an attacker can authenticate using a third-party OAuth provider such as GitHub, setting their email to an address within the allowed domain (e.g., attacker@berkeley.edu), thereby bypassing the intended authorization checks. This flaw allows unauthorized users to gain access to JupyterHub instances restricted to certain institutions, potentially exposing sensitive computational resources and data. The fix introduced in version 15.0.0 changes the interpretation of allowed_idps from a list of email domains to a list of IdP EntityIDs from CILogon's maintained list, ensuring that only users authenticated through the specified trusted identity providers are granted access. This change is breaking and requires administrators to update their configurations accordingly. No known exploits have been reported in the wild, but the vulnerability poses a significant risk to environments relying on domain-based authorization without verifying the actual IdP. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).
Potential Impact
For European organizations, especially academic and research institutions that deploy JupyterHub for collaborative computational environments, this vulnerability can lead to unauthorized access by attackers masquerading as legitimate users from trusted institutions. Such unauthorized access could result in exposure or manipulation of sensitive research data, intellectual property theft, or misuse of computational resources. Since JupyterHub often integrates with institutional identity providers to enforce access control, the bypass undermines trust in federated authentication mechanisms. The impact extends to any European organizations using OAuthenticator with CILogonOAuthenticator configured based on email domain filtering rather than strict IdP verification. This could affect universities, research consortia, and public sector entities relying on JupyterHub for data analysis and scientific computing. The breach of confidentiality and integrity of data is the primary concern, while availability impact is limited unless attackers intentionally disrupt services after gaining access. Given the collaborative nature of JupyterHub environments, unauthorized users could also perform malicious actions under the guise of legitimate users, complicating incident response and attribution.
Mitigation Recommendations
European organizations using JupyterHub with OAuthenticator should immediately upgrade to version 15.0.0 or later, which enforces IdP EntityID verification rather than relying solely on email domain matching. Administrators must revise their allowed_idps configuration to specify the exact trusted IdP EntityIDs as listed by CILogon (https://cilogon.org/idplist/), ensuring that only users authenticated through these providers gain access. Additionally, organizations should audit existing JupyterHub deployments to identify any instances running vulnerable versions and verify that no unauthorized accounts have been created. Implementing multi-factor authentication (MFA) at the IdP level can further reduce risk. Logging and monitoring of authentication events should be enhanced to detect anomalous login patterns, such as unexpected OAuth providers or email domain mismatches. Where possible, organizations should consider integrating additional identity verification mechanisms or restricting OAuth providers to trusted sources only. Finally, user education about the risks of using third-party OAuth providers with institutional email addresses can help mitigate social engineering attempts exploiting this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9843c4522896dcbf33cf
Added to database: 5/21/2025, 9:09:23 AM
Last enriched: 6/23/2025, 5:34:58 AM
Last updated: 8/12/2025, 9:54:10 AM
Views: 16
Related Threats
CVE-2025-43731: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Liferay Portal
MediumCVE-2025-7693: CWE-20: Improper Input Validation in Rockwell Automation PLC - Micro850 L50E
CriticalCVE-2025-55293: CWE-287: Improper Authentication in meshtastic firmware
CriticalCVE-2025-55300: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in komari-monitor komari
HighCVE-2025-55299: CWE-521: Weak Password Requirements in 7ritn VaulTLS
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.