If you are using JupyterHub with the GitLab OAuthenticator and its gitlab_group_whitelist support, there is a security issue where the authenticator will allow users outside your intended group whitelist to create accounts. A fix has been released as OAuthenticator 0.6.2 and 0.7.3. No other authentication mechanism, including GitLabOAuthenticator without using the group whitelist feature, is affected. If you are using GitLab authentication with group whitelist support, upgrade oauthenticator immediately:
python3 -m pip install --upgrade oauthenticator
Thanks to Joseph Weston for reporting the issue and providing the fix.
Timeline (all times UTC):
2018–02–16 09:51 Joseph Weston reports security issue to the Jupyter security list
2018–02–16 16:08 Fix is verified and applied to oauthenticator master
2018–02–16 21:52 oauthenticator 0.7.3 and 0.6.2 are released with the fix
Security fix for JupyterHub GitLab OAuthenticator Group Whitelists was originally published in Jupyter Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.