CVE-2023-25574
📋 TL;DR
CVE-2023-25574 is a critical authentication bypass vulnerability in jupyterhub-ltiauthenticator's LTI13Authenticator that fails to validate JWT signatures, allowing attackers to forge authentication requests. Only JupyterHub installations configured to use the LTI13Authenticator class are affected. This vulnerability enables unauthorized access to JupyterHub instances.
💻 Affected Systems
- jupyterhub-ltiauthenticator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of JupyterHub instance allowing unauthorized users to access, modify, or delete resources, potentially leading to data breach or system takeover.
Likely Case
Unauthorized access to JupyterHub by malicious actors posing as legitimate users, enabling privilege escalation and data access.
If Mitigated
No impact if LTI13Authenticator is not used or system is patched to version 1.4.0+.
🎯 Exploit Status
Exploitation requires knowledge of JWT token structure but no authentication; CVSS 10.0 indicates trivial exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.0
Vendor Advisory: https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp
Restart Required: Yes
Instructions:
1. Upgrade jupyterhub-ltiauthenticator to version 1.4.0 or later using pip: 'pip install --upgrade jupyterhub-ltiauthenticator>=1.4.0' 2. Restart JupyterHub service 3. Verify LTI13Authenticator is no longer in use
🔧 Temporary Workarounds
Switch to LTI11Authenticator
allTemporarily switch from vulnerable LTI13Authenticator to LTI11Authenticator if LTI 1.3 features are not required
Modify JupyterHub configuration to use 'ltiauthenticator.LTI11Authenticator' instead of 'ltiauthenticator.lti13.auth.LTI13Authenticator'
🧯 If You Can't Patch
- Disable LTI13Authenticator entirely and use alternative authentication methods
- Implement network-level controls to restrict access to JupyterHub only from trusted sources
🔍 How to Verify
Check if Vulnerable:
Check JupyterHub configuration for use of 'LTI13Authenticator' class and verify jupyterhub-ltiauthenticator version is 1.3.0Check Version:
pip show jupyterhub-ltiauthenticator | grep VersionVerify Fix Applied:
Confirm jupyterhub-ltiauthenticator version is 1.4.0+ and LTI13Authenticator is not configured📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns from LTI endpoints
- Failed JWT validation attempts
- Unexpected user sessions
Network Indicators:
- Unusual LTI launch requests to JupyterHub endpoints
- Suspicious JWT tokens in authentication requests
SIEM Query:
source="jupyterhub" AND ("LTI13" OR "JWT validation failed")🔗 References
- https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164
- https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01
- https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp
