CVE-2023-51663: 
Python vulnerability analysis and mitigation

Hail, an open-source Python-based data analysis tool for genomic data, was found to contain an authentication bypass vulnerability (CVE-2023-51663) discovered on December 29, 2023. The vulnerability affects versions prior to 0.2.127 and involves improper validation of OpenID Connect (OIDC) email addresses from ID tokens when verifying user domain validity (GitHub Advisory).

The vulnerability stems from Hail Batch's reliance on OIDC email addresses from ID tokens for domain validation. Due to users' ability to modify their email addresses, the system fails to properly verify domain ownership. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

The vulnerability allows attackers to create unauthorized accounts in Hail Batch clusters by manipulating email addresses. For example, attackers can create Microsoft or Google accounts and change their email to match a target organization's domain (e.g., 'test@example.org'). While attackers cannot access private data or impersonate existing users, they can run jobs if Hail Batch billing projects are enabled and create Azure Tenants with appropriate permissions (GitHub Advisory).

The vulnerability has been patched in version 0.2.127. Organizations should apply this patch to prevent third-party attackers from creating unauthorized accounts. Additionally, administrators should audit their user lists at 'auth.example.org/users' for invalid login IDs and remove such users. There are no workarounds available for this vulnerability (GitHub Advisory).