Lucene search

GitHub Advisory DatabaseGHSA-HFGR-H3VC-P6C2

HistoryDec 08, 2023 - 2:42 p.m.

DockerSpawner allows any image by default

2023-12-0814:42:55

CWE-20

GitHub Advisory Database

github.com

dockerspawner

image restriction

upgrade

dockerspawner 13

allowed_images.

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.0%

JSON

Impact

Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying DockerSpawner.allowed_images configuration allow users to launch any pullable image, instead of restricting to only the single configured image, as intended.

Patches

Upgrade to DockerSpawner 13.

Workarounds

Explicitly setting DockerSpawner.allowed_images to a non-empty list containing only the default image will result in the intended default behavior:

c.DockerSpawner.image = "your-image"
c.DockerSpawner.allowed_images = ["your-image"]

Affected configurations

Vulners

Node

jupyterdockerspawnerRange0.11.0≥

jupyterdockerspawnerRange<13.0.0

CPENameOperatorVersion
dockerspawnerge0.11.0
dockerspawnerlt13.0.0

CPE	Name	Operator	Version
	dockerspawner	ge	0.11.0
	dockerspawner	lt	13.0.0

References

github.com/advisories/GHSA-hfgr-h3vc-p6c2

github.com/jupyterhub/dockerspawner/commit/3ba4b665b6ca6027ea7a032d7ca3eab977574626

github.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c2

nvd.nist.gov/vuln/detail/CVE-2023-48311

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.0%

JSON

Related for GHSA-HFGR-H3VC-P6C2