Miggo Logo

CVE-2018-7206: JupyterHub OAuthenticator elevation of privilege

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.7078%
CWE
-
Published
5/13/2022
Updated
11/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
oauthenticatorpip>= 0.6, < 0.6.20.6.2
oauthenticatorpip>= 0.7, < 0.7.30.7.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from the group membership check logic in _check_group_whitelist. The pre-patch code for regular users used /groups API endpoint which returns groups a user has access to (including via project membership), not direct group membership. The fixed version (post-patch) directly checks /groups/{group}/members/{user_id} endpoint for each whitelisted group, ensuring actual membership. The diff shows the removal of the flawed group access check path for non-admin users, confirming this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Proj**t Jupyt*r Jupyt*r*u* O*ut**nti**tor *.*.x ***or* *.*.* *n* *.*.x ***or* *.*.*. W**n usin* Jupyt*r*u* wit* *itL** *roup w*it*listin* *or ****ss *ontrol, *roup m*m**rs*ip w*s not ****k** *orr**tly, *llowin* m*m**rs not

Reasoning

T** vuln*r**ility st*mm** *rom t** *roup m*m**rs*ip ****k lo*i* in _****k_*roup_w*it*list. T** pr*-p*t** *o** *or r**ul*r us*rs us** /*roups *PI *n*point w*i** r*turns *roups * us*r **s ****ss to (in*lu*in* vi* proj**t m*m**rs*ip), not *ir**t *roup m