binderhub@0.1.0 vulnerabilities

Turn a Git repo into a collection of interactive notebooks

latest version

0.1.0
first published

5 years ago
latest version published

5 years ago
licenses detected
- BSD-2-Clause
  [0,)
View binderhub package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the binderhub package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Arbitrary Code Execution binderhub is a package that allows you to BUILD and REGISTER a Docker image using a GitHub repository, then CONNECT with JupyterHub, allowing you to create a public IP address that allows users to interact with the code and environment within a live JupyterHub instance. Affected versions of this package are vulnerable to Arbitrary Code Execution. Providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user-created pods in the deployment, with the possibility of escalating to the host depending on the underlying kubernetes configuration. As a workaround, if users are unable to update, they may disable the git repo provider by specifying the `BinderHub.repo_providers`. How to fix Arbitrary Code Execution? A fix was pushed into the `master` branch but not yet published.	[0,)

Arbitrary Code Execution

binderhub is a package that allows you to BUILD and REGISTER a Docker image using a GitHub repository, then CONNECT with JupyterHub, allowing you to create a public IP address that allows users to interact with the code and environment within a live JupyterHub instance.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user-created pods in the deployment, with the possibility of escalating to the host depending on the underlying kubernetes configuration.

As a workaround, if users are unable to update, they may disable the git repo provider by specifying the BinderHub.repo_providers.

How to fix Arbitrary Code Execution?

A fix was pushed into the master branch but not yet published.

[0,)

Go back to all versions of this package

binderhub@0.1.0 vulnerabilities

Turn a Git repo into a collection of interactive notebooks

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities