CVE-2023-25574
CRITICALjupyterhub-ltiauthenticator 1.3.0-1.4.0 - Improper Verification of Cryptographic Signature in LTI13Authenticator
Title source: llmDescription
`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp
Product x_refsource_misc
https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164
Release Notes x_refsource_misc
https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01
Scores
CVSS v3
10.0
EPSS
0.0033
EPSS Percentile
24.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-347
Status
published
Products (2)
jupyter/lti_jupyterhub_authenticator
1.3.0
pypi/jupyterhub-ltiauthenticator
1.3.0 - 1.4.0PyPI
Published
Feb 25, 2025
Tracked Since
Feb 18, 2026