What is the vulnerability ID of this vulnerability?

The vulnerability ID of this vulnerability is CVE-2023-48311.

What is the impact of this vulnerability?

The impact of this vulnerability is that users of JupyterHub deployments running DockerSpawner starting with version 0.11.0 without specifying DockerSpawner.allowed_images configuration can launch any pullable image instead of being restricted to only the single configured image.

How can I fix this vulnerability?

To fix this vulnerability, upgrade to DockerSpawner version 13.0.0.

Where can I find more information about this vulnerability?

You can find more information about this vulnerability on the GitHub security advisories page: https://github.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c2

What is the CWE ID of this vulnerability?

The CWE ID of this vulnerability is CWE-20.

Vulnerability/
CVE-2023-48311

high

CWE

8/12/2023

2/8/2024

CVE-2023-48311: Any image allowed by default

First published: Fri Dec 08 2023(Updated: )

### Impact Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configuration allow users to launch _any_ pullable image, instead of restricting to only the single configured image, as intended. ### Patches Upgrade to DockerSpawner 13. ### Workarounds Explicitly setting `DockerSpawner.allowed_images` to a non-empty list containing only the default image will result in the intended default behavior: ```python c.DockerSpawner.image = "your-image" c.DockerSpawner.allowed_images = ["your-image"] ```

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Jupyter Dockerspawner	>=0.11.0<13.0
pip/dockerspawner	>=0.11.0<13.0.0	13.0.0

Remedy

https://github.com/jupyterhub/dockerspawner/commit/3ba4b665b6ca6027ea7a032d7ca3eab977574626

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID of this vulnerability?
The vulnerability ID of this vulnerability is CVE-2023-48311.
What is the impact of this vulnerability?
The impact of this vulnerability is that users of JupyterHub deployments running DockerSpawner starting with version 0.11.0 without specifying DockerSpawner.allowed_images configuration can launch any pullable image instead of being restricted to only the single configured image.
How can I fix this vulnerability?
To fix this vulnerability, upgrade to DockerSpawner version 13.0.0.
Where can I find more information about this vulnerability?
You can find more information about this vulnerability on the GitHub security advisories page: https://github.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c2
What is the CWE ID of this vulnerability?
The CWE ID of this vulnerability is CWE-20.

collector/nvd-api
collector/github-advisory-latest
alias/GHSA-hfgr-h3vc-p6c2
alias/CVE-2023-48311
collector/nvd-cve
collector/github-advisory
agent/author
agent/type
agent/references
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/weakness
agent/remedy
agent/severity
agent/event
agent/description
agent/trending
agent/tags
agent/source
vendor/jupyter
canonical/jupyter dockerspawner
version/jupyter dockerspawner/0.11.0
package-manager/pip

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.