Security advisory for JupyterHub deployments on Kubernetes with named servers enabled

We have just published a security advisory that affects JupyterHub deployments on kubernetes which have enabled allowNamedServers: true, where collisions could occur between the default server of certain usernames that require escapes, and other users’ named servers. See the security advisory for more details.

We have published 0.9.1 of the jupyterhub helm chart and kubespawner 0.12 with fixes.

The issue can be resolved by any of the following actions:

  • Upgrading jupyterhub-kubespawner in the Hub image to 0.12 or
  • Upgrading the jupyterhub helm chart to 0.9.1 or
  • Specifying your own pod_name_template and pvc_name_template templates that do not allow collisions, or
  • Disabling named_servers

Named servers are not enabled by default, so if you have not enabled them, you are not affected. Additionally, not all Authenticators permit usernames that allow collisions in this way.

2 Likes