JupyterHub OAuthenticator Authentication Bypass Vulnerability via Unverified Email

An authentication bypass vulnerability has been identified in JupyterHub OAuthenticator versions prior to 17.4.0. This vulnerability allows an attacker with an unverified email address on an Auth0 tenant to log in to JupyterHub. When the email is used as the username claim, this gives the attacker control over the username and the potential for account takeover. The issue arises because Auth0 treats email verification as a user flag rather than a strict requirement for authentication. Exploitation is possible by registering an account with an unverified email and, knowing the email of an existing user, authenticating as that user.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling attackers to log in as users with verified emails, potentially leading to account takeover.

Reproduction

To reproduce this vulnerability, create an Auth0 account with an unverified email address. Configure JupyterHub OAuthenticator to use the email claim as the username identifier. Once set up, log in to JupyterHub, and the system will accept the unverified email account, granting access as if it were a verified account.

Remediation

Users are advised to upgrade OAuthenticator to version 17.4.0 or later. Additionally, Auth0 tenants can enforce email verification by sending emails after each denied access, ensuring that only verified emails are used for authentication.