Security advisory for JupyterHub deployments on Kubernetes with named servers enabled

minrk · July 17, 2020, 1:34pm

We have just published a security advisory that affects JupyterHub deployments on kubernetes which have enabled allowNamedServers: true, where collisions could occur between the default server of certain usernames that require escapes, and other users’ named servers. See the security advisory for more details.

We have published 0.9.1 of the jupyterhub helm chart and kubespawner 0.12 with fixes.

The issue can be resolved by any of the following actions:

Upgrading jupyterhub-kubespawner in the Hub image to 0.12 or
Upgrading the jupyterhub helm chart to 0.9.1 or
Specifying your own pod_name_template and pvc_name_template templates that do not allow collisions, or
Disabling named_servers

Named servers are not enabled by default, so if you have not enabled them, you are not affected. Additionally, not all Authenticators permit usernames that allow collisions in this way.

Topic		Replies	Views
Jupyterhub user server : The filled server name is inconsistent with the generated pod name? The Littlest JupyterHub jupyterlab , jupyterhub	2	561	September 29, 2021
How do I enable multi-server UI with JupyterHub on Kubernetes? Zero to JupyterHub on Kubernetes	5	2759	April 1, 2019
Kubespawner: spawns multiple server options running at the same time Zero to JupyterHub on Kubernetes jupyterhub , how-to , help-wanted	2	219	December 13, 2023
Only One Multiple Named Server Working Zero to JupyterHub on Kubernetes	12	1148	December 15, 2022
Is it possible to customize named servers? Zero to JupyterHub on Kubernetes	1	543	April 1, 2019

Security advisory for JupyterHub deployments on Kubernetes with named servers enabled

Related Topics