CVE-2023-48311

Name of the Vulnerable Software and Affected Versions DockerSpawner versions 0.11.0 through 12

Description The issue affects JupyterHub deployments running DockerSpawner, allowing users to launch any pullable Docker image instead of restricting to the single configured image. This has been addressed in DockerSpawner release version 13. Users are advised to upgrade to this version to resolve the issue. For users unable to upgrade, setting DockerSpawner.allowed images to a non-empty list containing only the default image will result in the intended default behavior.

Recommendations For DockerSpawner versions 0.11.0 through 12, upgrade to DockerSpawner 13 to resolve the issue. As a temporary workaround for users unable to upgrade, explicitly set DockerSpawner.allowed images to a non-empty list containing only the default image, for example: c.DockerSpawner.image = "your-image" c.DockerSpawner.allowed images = ["your-image"]