binderhub@0.1.0 vulnerabilities

Turn a Git repo into a collection of interactive notebooks

Direct Vulnerabilities

Known vulnerabilities in the binderhub package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Arbitrary Code Execution

binderhub is a package that allows you to BUILD and REGISTER a Docker image using a GitHub repository, then CONNECT with JupyterHub, allowing you to create a public IP address that allows users to interact with the code and environment within a live JupyterHub instance.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user-created pods in the deployment, with the possibility of escalating to the host depending on the underlying kubernetes configuration.

As a workaround, if users are unable to update, they may disable the git repo provider by specifying the BinderHub.repo_providers.

How to fix Arbitrary Code Execution?

A fix was pushed into the master branch but not yet published.

[0,)