Lucene search

GoogleOSV:GHSA-HFGR-H3VC-P6C2

HistoryDec 08, 2023 - 2:42 p.m.

DockerSpawner allows any image by default

2023-12-0814:42:55

Google

osv.dev

dockerspawner

jupyterhub

dockerspawner.allowed_images

upgrade

workarounds

configuration

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.0%

JSON

Impact

Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying DockerSpawner.allowed_images configuration allow users to launch any pullable image, instead of restricting to only the single configured image, as intended.

Patches

Upgrade to DockerSpawner 13.

Workarounds

Explicitly setting DockerSpawner.allowed_images to a non-empty list containing only the default image will result in the intended default behavior:

c.DockerSpawner.image = "your-image"
c.DockerSpawner.allowed_images = ["your-image"]

CPENameOperatorVersion
dockerspawnereq12.1.0
dockerspawnereq0.11.1
dockerspawnereq0.11.0
dockerspawnereq12.0.0

Name	Operator	Version
dockerspawner	eq	12.1.0
dockerspawner	eq	0.11.1
dockerspawner	eq	0.11.0
dockerspawner	eq	12.0.0

References

github.com/jupyterhub/dockerspawner

github.com/jupyterhub/dockerspawner/commit/3ba4b665b6ca6027ea7a032d7ca3eab977574626

github.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c2

nvd.nist.gov/vuln/detail/CVE-2023-48311

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

14.0%

JSON

Related for OSV:GHSA-HFGR-H3VC-P6C2