8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
14.0%
Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying DockerSpawner.allowed_images
configuration allow users to launch any pullable image, instead of restricting to only the single configured image, as intended.
Upgrade to DockerSpawner 13.
Explicitly setting DockerSpawner.allowed_images
to a non-empty list containing only the default image will result in the intended default behavior:
c.DockerSpawner.image = "your-image"
c.DockerSpawner.allowed_images = ["your-image"]
CPE | Name | Operator | Version |
---|---|---|---|
dockerspawner | eq | 12.1.0 | |
dockerspawner | eq | 0.11.1 | |
dockerspawner | eq | 0.11.0 | |
dockerspawner | eq | 12.0.0 |
8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
14.0%