jupyter-enterprise-gateway 3.0.0

Direct Vulnerabilities

Known vulnerabilities in the jupyter-enterprise-gateway package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') jupyter-enterprise-gateway is an A web server for spawning and communicating with remote Jupyter kernels Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the rendering process of Kubernetes manifests using untrusted environment variables in Jinja2 templates. An attacker can inject arbitrary YAML content, overwrite critical fields such as `securityContext`, and create additional unintended Kubernetes resources by supplying specially crafted environment variables. This can result in the creation of privileged pods, arbitrary Kubernetes resources, and potentially full compromise of the Kubernetes cluster. This is only exploitable if the environment variables used in manifest rendering are controlled by the attacker, and in some cases, if the `mirrorWorkingDirs` configuration is enabled. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade `jupyter-enterprise-gateway` to version 3.3.0 or higher.	[,3.3.0)
C Improper Neutralization of Special Elements Used in a Template Engine jupyter-enterprise-gateway is an A web server for spawning and communicating with remote Jupyter kernels Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the rendering of Kubernetes manifest templates using untrusted environment variables in the `KERNEL_XXX` family. An attacker can execute arbitrary Python code and operating system commands by injecting malicious Jinja2 template expressions into these variables, potentially gaining control over the service account token and compromising the entire Kubernetes cluster by creating privileged pods or accessing sensitive resources. How to fix Improper Neutralization of Special Elements Used in a Template Engine? Upgrade `jupyter-enterprise-gateway` to version 3.3.0 or higher.	[2.0.0rc2,3.3.0)
C Incorrect Behavior Order: Validate Before Canonicalize jupyter-enterprise-gateway is an A web server for spawning and communicating with remote Jupyter kernels Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize via improper validation of the `KERNEL_UID` and `KERNEL_GID` environment variables. An attacker can gain elevated privileges and execute arbitrary code as the root user within the container by supplying specially crafted values containing whitespace to bypass prohibited ID checks. This may allow further compromise of the underlying worker node and potentially the entire Kubernetes cluster through actions such as mounting host volumes and modifying system files. How to fix Incorrect Behavior Order: Validate Before Canonicalize? Upgrade `jupyter-enterprise-gateway` to version 3.3.0 or higher.	[2.0.0rc1,3.3.0)

Vulnerability

Vulnerable Version

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

jupyter-enterprise-gateway is an A web server for spawning and communicating with remote Jupyter kernels

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the rendering process of Kubernetes manifests using untrusted environment variables in Jinja2 templates. An attacker can inject arbitrary YAML content, overwrite critical fields such as securityContext, and create additional unintended Kubernetes resources by supplying specially crafted environment variables. This can result in the creation of privileged pods, arbitrary Kubernetes resources, and potentially full compromise of the Kubernetes cluster. This is only exploitable if the environment variables used in manifest rendering are controlled by the attacker, and in some cases, if the mirrorWorkingDirs configuration is enabled.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade jupyter-enterprise-gateway to version 3.3.0 or higher.

[,3.3.0)

Improper Neutralization of Special Elements Used in a Template Engine

jupyter-enterprise-gateway is an A web server for spawning and communicating with remote Jupyter kernels

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the rendering of Kubernetes manifest templates using untrusted environment variables in the KERNEL_XXX family. An attacker can execute arbitrary Python code and operating system commands by injecting malicious Jinja2 template expressions into these variables, potentially gaining control over the service account token and compromising the entire Kubernetes cluster by creating privileged pods or accessing sensitive resources.

How to fix Improper Neutralization of Special Elements Used in a Template Engine?

Upgrade jupyter-enterprise-gateway to version 3.3.0 or higher.

[2.0.0rc2,3.3.0)

Incorrect Behavior Order: Validate Before Canonicalize

jupyter-enterprise-gateway is an A web server for spawning and communicating with remote Jupyter kernels

Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize via improper validation of the KERNEL_UID and KERNEL_GID environment variables. An attacker can gain elevated privileges and execute arbitrary code as the root user within the container by supplying specially crafted values containing whitespace to bypass prohibited ID checks. This may allow further compromise of the underlying worker node and potentially the entire Kubernetes cluster through actions such as mounting host volumes and modifying system files.

How to fix Incorrect Behavior Order: Validate Before Canonicalize?

Upgrade jupyter-enterprise-gateway to version 3.3.0 or higher.

[2.0.0rc1,3.3.0)

jupyter-enterprise-gateway@3.0.0

A web server for spawning and communicating with remote Jupyter kernels

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically