jupyterhub-ltiauthenticator LTI13Authenticator JWT Signature Verification Vulnerability

Overview  

CVE-2023-25574 is a critical security vulnerability affecting the jupyterhub-ltiauthenticator, a JupyterHub authenticator designed for Learning Tools Interoperability (LTI). The vulnerability specifically impacts the LTI13Authenticator class introduced in version 1.3.0. This class fails to verify JSON Web Token (JWT) signatures, potentially allowing unauthorized access to JupyterHub instances configured to use this authenticator. The issue was addressed in version 1.4.0 by removing the LTI13Authenticator class entirely.  

Vulnerability Details 

• CVE ID: CVE-2023-25574 

• Base Score: 10.0 (CRITICAL) 

• Published Date: February 25, 2025

• Affected Versions: jupyterhub-ltiauthenticator 1.3.0

• Fixed Versions: jupyterhub-ltiauthenticator 1.4.0

Impact  

The vulnerability allows an attacker to bypass authentication by forging a JWT token without a valid signature. This could lead to unauthorized access to JupyterHub instances, potentially compromising sensitive data and resources. Only JupyterHub instances configured to use the LTI13Authenticator class are affected. 

Technical Background 

LTI (Learning Tools Interoperability) is a standard for integrating educational tools with learning management systems (LMS). The jupyterhub-ltiauthenticator allows JupyterHub to authenticate users via LTI. The LTI13Authenticator class, introduced in version 1.3.0, was designed to handle LTI 1.3 authentication flows, which rely on JWT for secure communication.

However, the LTI13Authenticator class in version 1.3.0 did not verify the JWT signatures. JWTs are typically signed using a private key, and the recipient verifies the signature using the corresponding public key to ensure the token's authenticity. Without this verification, an attacker could forge a JWT and impersonate a legitimate user. 

Sample Scenario  

1. Setup: A university configures JupyterHub to use the LTI13Authenticator for authenticating students via their LMS. The LMS uses LTI 1.3 to send JWTs to JupyterHub for user authentication.

2. Attack: An attacker discovers that the JupyterHub instance is using jupyterhub-ltiauthenticator version 1.3.0. They craft a forged JWT token with arbitrary user information and send it to the JupyterHub instance.

3. Exploitation: Since the LTI13Authenticator does not verify the JWT signature, JupyterHub accepts the forged token and grants the attacker access to the system as the user specified in the token.

4. Consequences: The attacker gains unauthorized access to the JupyterHub environment, potentially accessing sensitive student data, running malicious code, or disrupting the service.

Mitigation

The vulnerability was fixed in version 1.4.0 of jupyterhub-ltiauthenticator by removing the LTI13Authenticator class. Users are strongly advised to upgrade to version 1.4.0 or later. If upgrading is not immediately possible, users should consider disabling the LTI13Authenticator and using an alternative authentication method.

Steps to Upgrade

1. Check the current version of jupyterhub-ltiauthenticator:

   bash

   Copy

   pip show jupyterhub-ltiauthenticator

2. If the version is 1.3.0 or earlier, upgrade to version 1.4.0 or later:

   bash

   Copy

   pip install --upgrade jupyterhub-ltiauthenticator

3. Restart the JupyterHub service to apply the changes.

Conclusion 

CVE-2023-25574 is a critical vulnerability that underscores the importance of proper JWT signature verification in authentication mechanisms. Users of jupyterhub-ltiauthenticator should take immediate action to upgrade to the latest version to protect their JupyterHub instances from potential exploitation.

• https://nvd.nist.gov/