logo

Database

Lack of data validation In dockerspawner

Description

DockerSpawner allows any image by default

Impact

Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying DockerSpawner.allowed_images configuration allow users to launch any pullable image, instead of restricting to only the single configured image, as intended.

Patches

Upgrade to DockerSpawner 13.

Workarounds

Explicitly setting DockerSpawner.allowed_images to a non-empty list containing only the default image will result in the intended default behavior:

c.DockerSpawner.image = "your-image"
c.DockerSpawner.allowed_images = ["your-image"]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-483112. NVD-2023-483113. OSV-2023-483114. GHSA-hfgr-h3vc-p6c25. GCVE-2023-48311

References

1. https://github.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c22. https://github.com/jupyterhub/dockerspawner/commit/3ba4b665b6ca6027ea7a032d7ca3eab977574626

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.