CVE-2024-29033
📋 TL;DR
This vulnerability in OAuthenticator's GoogleOAuthenticator.hosted_domain feature allows unauthorized access to JupyterHub instances. Instead of restricting access to verified Google organization accounts, it only checks email domain endings, enabling anyone with a personal Google account using that domain to gain access. All JupyterHub deployments using OAuthenticator versions before 16.3.0 with Google OAuth are affected.
💻 Affected Systems
- OAuthenticator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain access to JupyterHub environments, potentially accessing sensitive data, executing arbitrary code, or compromising the entire JupyterHub deployment.
Likely Case
Unauthorized users bypass intended domain restrictions and gain access to JupyterHub resources they shouldn't have access to, potentially viewing or modifying data.
If Mitigated
Proper domain verification ensures only authorized organization members can access the JupyterHub instance.
🎯 Exploit Status
Exploitation requires a Google account with email ending in the target domain, which can be created by anyone who can read email for that domain.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.3.0
Vendor Advisory: https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-55m3-44xf-hg4h
Restart Required: Yes
Instructions:
1. Update OAuthenticator to version 16.3.0 or later using pip: pip install --upgrade oauthenticator>=16.3.0
2. Restart JupyterHub service
3. Verify the fix by testing authentication with unauthorized Google accounts
🔧 Temporary Workarounds
Use allowed_users or allowed_google_groups
allImplement additional user/group restrictions instead of relying solely on hosted_domain
# Configure in jupyterhub_config.py
c.GoogleOAuthenticator.allowed_users = {'user1@domain.com', 'user2@domain.com'}
# Or use Google Groups
c.GoogleOAuthenticator.allowed_google_groups = {'group-id-1', 'group-id-2'}
🧯 If You Can't Patch
- Disable Google OAuth authentication entirely and use alternative authentication methods
- Implement network-level access controls to restrict JupyterHub access to trusted IP ranges only
🔍 How to Verify
Check if Vulnerable:
Check OAuthenticator version: pip show oauthenticator | grep Version
If version is <16.3.0 and GoogleOAuthenticator with hosted_domain is configured, the system is vulnerable.Check Version:
pip show oauthenticator | grep VersionVerify Fix Applied:
After updating to 16.3.0+, test authentication with a Google account that has email ending in the domain but is not part of the verified organization - it should be rejected.📡 Detection & Monitoring
Log Indicators:
- Successful authentication from Google accounts not part of the verified organization
- Authentication attempts from unexpected email addresses ending in the target domain
Network Indicators:
- OAuth callback requests from unauthorized Google accounts
SIEM Query:
source="jupyterhub" AND "authenticated" AND "google" AND NOT "verified_organization"🔗 References
- https://github.com/jupyterhub/oauthenticator/commit/5246b09675501b09fb6ed64022099b7644812f60
- https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-55m3-44xf-hg4h
- https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of
- https://github.com/jupyterhub/oauthenticator/commit/5246b09675501b09fb6ed64022099b7644812f60
- https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-55m3-44xf-hg4h
- https://trufflesecurity.com/blog/google-oauth-is-broken-sort-of
