Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-9JJR-QQFP-PPWX
HistoryAug 30, 2021 - 4:16 p.m.

remote code execution via git repo provider

2021-08-3016:16:58
Google
osv.dev
5
binderhub
remote code execution
git repo provider
security advisory
credentials leakage
kubernetes
docker registry
patch
workarounds
reference

EPSS

0.005

Percentile

76.8%

JSON

Impact

A remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration.

Patches

Patch below, or on GitHub

From 9f4043d9dddc1174920e687773f27b7933f48ab6 Mon Sep 17 00:00:00 2001
From: Riccardo Castellotti <[email protected]>
Date: Thu, 19 Aug 2021 15:49:43 +0200
Subject: [PATCH] Explicitly separate git-ls-remote options from positional
 arguments

---
 binderhub/repoproviders.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/binderhub/repoproviders.py b/binderhub/repoproviders.py
index f33347b..5d4b87c 100755
--- a/binderhub/repoproviders.py
+++ b/binderhub/repoproviders.py
@@ -484,7 +484,7 @@ class GitRepoProvider(RepoProvider):
             self.sha1_validate(self.unresolved_ref)
         except ValueError:
             # The ref is a head/tag and we resolve it using `git ls-remote`
-            command = ["git", "ls-remote", self.repo, self.unresolved_ref]
+            command = ["git", "ls-remote", "--", self.repo, self.unresolved_ref]
             result = subprocess.run(command, universal_newlines=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
             if result.returncode:
                 raise RuntimeError("Unable to run git ls-remote to get the `resolved_ref`: {}".format(result.stderr))
-- 
2.25.1

Workarounds

Disable the git repo provider by specifying the BinderHub.repo_providers config, e.g.:

from binderhub.repoproviders import (GitHubRepoProvider,
                            GitLabRepoProvider, GistRepoProvider,
                            ZenodoProvider, FigshareProvider, HydroshareProvider,
                            DataverseProvider)

c.BinderHub.repo_providers =  {
            'gh': GitHubRepoProvider,
            'gist': GistRepoProvider,
            'gl': GitLabRepoProvider,
            'zenodo': ZenodoProvider,
            'figshare': FigshareProvider,
            'hydroshare': HydroshareProvider,
            'dataverse': DataverseProvider,
        }

References

Credit: Jose Carlos Luna Duran (CERN) and Riccardo Castellotti (CERN).

For more information

If you have any questions or comments about this advisory:

Related

prion 1
cvelist 1
cve 1
github 1
osv 1
nvd 1
prion
prion
Remote code execution
2021-08-25 19:15:00
cvelist
cvelist
CVE-2021-39159 Remote code execution in Binderhub
2021-08-25 18:20:09
cve
cve
CVE-2021-39159
2021-08-25 19:15:14
github
github
remote code execution via git repo provider
2021-08-30 16:16:58
osv
osv
CVE-2021-39159
2021-08-25 19:15:14
nvd
nvd
CVE-2021-39159
2021-08-25 19:15:14

EPSS

0.005

Percentile

76.8%

JSON
Related for OSV:GHSA-9JJR-QQFP-PPWX
prion1cvelist1cve1github1osv1nvd1