CVE-2024-45034
issue vulnerability in apache-airflow (PyPI)
What is CVE-2024-45034 About?
An issue in Project Jupyter JupyterHub OAuthenticator allows users not in whitelisted GitLab groups to create accounts. This bypasses intended access control mechanisms, compromising user management on the Hub. Exploitation is straightforward for any user with a GitLab account.
Affected Software
Technical Details
The vulnerability exists in Project Jupyter JupyterHub OAuthenticator versions 0.6.x before 0.6.2 and 0.7.x before 0.7.3 when using GitLab group whitelisting for access control. The core problem is that the OAuthenticator fails to correctly check group membership during the authentication and account creation process. Specifically, after a user authenticates with GitLab, the OAuthenticator does not properly verify if the user belongs to one of the configured whitelisted GitLab groups. This oversight allows users who are not part of the authorized groups to successfully create their own accounts on the JupyterHub instance, linked to their GitLab identity, despite restrictions being in place.
What is the Impact of CVE-2024-45034?
Successful exploitation may allow attackers to bypass intended access controls, create unauthorized user accounts on the Hub, and potentially consume resources or disrupt service availability.
What is the Exploitability of CVE-2024-45034?
Exploitation of this vulnerability is relatively low complexity and requires no special tools beyond a valid GitLab account. Authentication is involved, as the user must authenticate with GitLab, but no specific privileges are needed beyond being a GitLab user. The attack is remote, as it occurs during the normal login and account creation flow. No special conditions are required other than the JupyterHub instance being configured with the affected OAuthenticator versions and GitLab group whitelisting enabled. The primary risk factor is external users unexpectedly gaining access to the JupyterHub environment by simply attempting to log in.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-45034?
Available Upgrade Options
- apache-airflow
- <2.10.1 → Upgrade to 2.10.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2024/09/06/3
- https://github.com/apache/airflow/pull/41672
- https://github.com/apache/airflow
- https://osv.dev/vulnerability/PYSEC-2024-212
- http://www.openwall.com/lists/oss-security/2024/09/06/3
- https://nvd.nist.gov/vuln/detail/CVE-2024-45034
- https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
- https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-212.yaml
- https://lists.apache.org/thread/b4fcw33vh60yfg9990n5vmc7sy2dcgjx
- https://github.com/apache/airflow/commit/03e01e76d2203d37aa645096df195b4328665f6d
What are Similar Vulnerabilities to CVE-2024-45034?
Similar Vulnerabilities: CVE-2023-46271 , CVE-2023-48690 , CVE-2022-38708 , CVE-2021-32631 , CVE-2022-4424
