CVE-2020-15110

Name of the Vulnerable Software and Affected Versions jupyterhub-kubespawner versions prior to 0.12

Description The issue allows certain usernames to craft particular server names, granting them access to the default server of other users with matching usernames. This affects JupyterHub deployments using KubeSpawner and enabled named servers, with authenticators that allow usernames with hyphens or other characters that require escape. The estimated number of potentially affected devices is not specified.

Recommendations For versions prior to 0.12, upgrade to kubespawner 0.12 or zero-to-jupyterhub 0.9.1. As a temporary workaround for KubeSpawner, specify the configuration using the PatchedKubeSpawner class to modify pod name template and pvc name template, but remove this configuration after upgrading to ensure consistent naming.