CVE-2020-15110: Possible pod name collisions in jupyterhub-kubespawner
(updated )
What kind of vulnerability is it? Who is impacted?
JupyterHub deployments using:
- KubeSpawner <= 0.11.1 (e.g. zero-to-jupyterhub 0.9.0) and
- enabled named_servers (not default), and
- an Authenticator that allows:
- usernames with hyphens or other characters that require escape (e.g.
user-hyphenoruser@email), and - usernames which may match other usernames up to but not including the escaped character (e.g.
userin the above cases)
In this circumstance, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames.
References
- github.com/advisories/GHSA-v7m9-9497-p9gr
- github.com/jupyterhub/kubespawner
- github.com/jupyterhub/kubespawner/commit/3dfe870a7f5e98e2e398b01996ca6b8eff4bb1d0
- github.com/jupyterhub/kubespawner/security/advisories/GHSA-v7m9-9497-p9gr
- github.com/pypa/advisory-database/tree/main/vulns/jupyterhub-kubespawner/PYSEC-2020-51.yaml
- nvd.nist.gov/vuln/detail/CVE-2020-15110
Code Behaviors & Features
Detect and mitigate CVE-2020-15110 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →