QID 980040
QID 980040: Python (pip) Security Update for jupyterhub-kubespawner (GHSA-v7m9-9497-p9gr)
Security update has been released for jupyterhub-kubespawner to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
_What kind of vulnerability is it? Who is impacted?_
JupyterHub deployments using:
- KubeSpawner <= 0.11.1 (e.g. zero-to-jupyterhub 0.9.0) and
- enabled named_servers (not default), and
- an Authenticator that allows:
- usernames with hyphens or other characters that require escape (e.g. `user-hyphen` or `user@email`), and
- usernames which may match other usernames up to but not including the escaped character (e.g. `user` in the above cases)
In this circumstance, certain usernames will be able to craft particular server names which will grant them access to the default server of other users who have matching usernames.
Patch will be released in kubespawner 0.12 and zero-to-jupyterhub 0.9.1Workaround:
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
- GHSA-v7m9-9497-p9gr -
github.com/advisories/GHSA-v7m9-9497-p9gr
CVEs related to QID 980040
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-v7m9-9497-p9gr | jupyterhub-kubespawner |
github.com/advisories/GHSA-v7m9-9497-p9gr |