`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.
The `LTI13Authenticator` class, introduced in version 1.3.0, implements authentication based on the LTI 1.3 protocol using JWT tokens. The flaw lies in the lack of verification of the JWT token's cryptographic signature (CWE-347 — Improper Verification of Cryptographic Signature). An attacker can construct any forged JWT token and submit it to the authentication endpoint, and the system will accept it as valid. No credentials or permissions are required — the attack is possible remotely without user interaction.
An attacker can gain unauthorized access to a JupyterHub instance, potentially impersonating any user, including an administrator, which poses a risk of complete environment takeover, data disclosure, and violation of system integrity and availability.
Update `jupyterhub-ltiauthenticator` to version 1.4.0, in which the `LTI13Authenticator` class has been removed to eliminate the vulnerability. The vendor does not provide any workarounds — updating the package is the only solution.
JupyterHub installations using the `jupyterhub-ltiauthenticator` package in version 1.3.0 that have been configured to use the `LTI13Authenticator` authentication class.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HJupyter Lti Jupyterhub Authenticator
APPJupyter1.3.0
Related vulnerabilities
LTI JupyterHub Authenticator is a JupyterHub authenticator for LTI. Prior to version 1.6.3, the LTI 1.1 valida...
Stored XSS w Jupyter Server umożliwiający RCE przez nbconvert
RCE w szablonie rozszerzenia JupyterLab via GitHub Actions workflow
Reflected XSS w Jupyter Server Proxy — endpoint /proxy
Brak uwierzytelnienia przy proxy websocketów w Jupyter Server Proxy — RCE