Summary
Background
CILogon is a federated auth provider that allows users to authenticate
themselves via a number of Identity Providers (IdP), focused primarily on educational and
research institutions (such as Universities). More traditional and open IdPs
such as GitHub, ORCID, Google, Microsoft, etc are also supported.
CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log
in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub
only to users of a given institute. The allowed_idps configuration trait of
CILogonOAuthenticator is documented to be a list of domains that indicate the
institutions whose users are authorized to access this JupyterHub. This authorization
is validated by ensuring that the email field provided to us by CILogon has a
domain that matches one of the domains listed in allowed_idps.
Impact
If allowed_idps contains berkeley.edu, you might expect only users with valid
current credentials provided by University of California, Berkeley to be able to
access the JupyterHub. However, CILogonOAuthenticator does not verify which provider
is used by the user to login, only the email address provided. So a user can login
with a GitHub account that has email set to <something>@berkeley.edu, and that will
be treated exactly the same as someone logging in using the UC Berkeley official
Identity Provider. This has two consequences:
- Since GitHub (and most other providers we tested) only require you to verify
your email once, a user can access a JupyterHub even if their access to
the institution's IdP has been revoked or expired. - CILogon supports hundreds of identity providers - if even one of them allows
users to set any email ids without verifying, that can be used to impersonate
any user on any other identity provider! While CILogon itself has a stellar
security record, this particular method of doing authorization means an attacker
would only need to compromise a single identity provider to compromise all of
CILogon
We currently do not know of any identity provider that provides unverified
email addresses to CILogon, so this is not a severe known vulnerability. However,
there are hundreds of IdPs, and we could not try them all.
CVE-2022-31027 has a CVSS score of 4.2 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (15.0.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
This patch makes a breaking change in how allowed_idps is interpreted. It's
no longer a list of domains, but configuration representing the EntityID of the
IdPs that are allowed, picked from the list maintained by CILogon.
So instead of berkeley.edu, you would specify urn:mace:incommon:berkeley.edu to
allow logins from users currently with berkeley.edu accounts. GitHub users
with a verified berkeley.edu email will no longer be allowed to log in.
For details on how to transition your CILogonOAuthenticator configuration to the patched version 15.0.0 or above, see the migration documentation.
Frequently Asked Questions
- What is CVE-2022-31027? CVE-2022-31027 is a medium-severity security vulnerability in oauthenticator (pip), affecting versions < 15.0.0. It is fixed in 15.0.0.
- How severe is CVE-2022-31027? CVE-2022-31027 has a CVSS score of 4.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of oauthenticator are affected by CVE-2022-31027? oauthenticator (pip) versions < 15.0.0 is affected.
- Is there a fix for CVE-2022-31027? Yes. CVE-2022-31027 is fixed in 15.0.0. Upgrade to this version or later.
- Is CVE-2022-31027 exploitable, and should I be worried? Whether CVE-2022-31027 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2022-31027 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2022-31027? Upgrade
oauthenticatorto 15.0.0 or later.