Arbitrary Code Execution Affecting binderhub package, versions [0,]
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-BINDERHUB-1569898
- published 26 Aug 2021
- disclosed 26 Aug 2021
- credit Unknown
Introduced: 26 Aug 2021
CVE-2021-39159 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
binderhub is a package that allows you to BUILD and REGISTER a Docker image using a GitHub repository, then CONNECT with JupyterHub, allowing you to create a public IP address that allows users to interact with the code and environment within a live JupyterHub instance.
Affected versions of this package are vulnerable to Arbitrary Code Execution. Providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user-created pods in the deployment, with the possibility of escalating to the host depending on the underlying kubernetes configuration.
As a workaround, if users are unable to update, they may disable the git repo provider by specifying the BinderHub.repo_providers.