CVE-2023-48311

Any image allowed by default

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

dockerspawner is a tool to spawn JupyterHub single user servers in Docker containers. Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configuration allow users to launch _any_ pullable docker image, instead of restricting to only the single configured image, as intended. This issue has been addressed in commit `3ba4b665b` which has been included in dockerspawner release version 13. Users are advised to upgrade. Users unable to upgrade should explicitly set `DockerSpawner.allowed_images` to a non-empty list containing only the default image will result in the intended default behavior.

dockerspawner es una herramienta para generar servidores de usuario único de JupyterHub en contenedores Docker. Los usuarios de implementaciones de JupyterHub que ejecutan DockerSpawner a partir de 0.11.0 sin especificar la configuración `DockerSpawner.allowed_images` permiten a los usuarios _any_ pullable imagen acoplable extraíble, en lugar de limitarse a una sola imagen configurada, como se pretende. Este problema se solucionó en el commit `3ba4b665b` que se incluyó en la versión 13 de dockerspawner. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben configurar explícitamente `DockerSpawner.allowed_images` en una lista no vacía que contenga solo la imagen predeterminada, lo que dará como resultado el comportamiento predeterminado previsto.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-14 CVE Reserved
2023-12-08 CVE Published
2024-08-02 CVE Updated
2024-11-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/jupyterhub/dockerspawner/commit/3ba4b665b6ca6027ea7a032d7ca3eab977574626	2023-12-13

URL	Date	SRC
https://github.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c2	2023-12-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Jupyter Search vendor "Jupyter"		Dockerspawner Search vendor "Jupyter" for product "Dockerspawner"				>= 0.11.0 < 13.0 Search vendor "Jupyter" for product "Dockerspawner" and version " >= 0.11.0 < 13.0"		-		Affected