Security fix for JupyterHub GitLab OAuthenticator Group Whitelists
This vulnerability has been assigned CVE-2018–7206
If you are using JupyterHub with the GitLab OAuthenticator and its gitlab_group_whitelist support, there is a security issue where the authenticator will allow users outside your intended group whitelist to create accounts. A fix has been released as OAuthenticator 0.6.2 and 0.7.3. No other authentication mechanism, including GitLabOAuthenticator without using the group whitelist feature, is affected. If you are using GitLab authentication with group whitelist support, upgrade oauthenticator immediately:
python3 -m pip install --upgrade oauthenticator
Thanks to Joseph Weston for reporting the issue and providing the fix.
Timeline (all times UTC):
2018–02–16 09:51 Joseph Weston reports security issue to the Jupyter security list
2018–02–16 16:08 Fix is verified and applied to oauthenticator master
2018–02–16 21:52 oauthenticator 0.7.3 and 0.6.2 are released with the fix
2018–02–18 03:02 CVE-2018–7206 assigned