CVE-2021-39159— BinderHub 操作系统命令注入漏洞

Remote code execution in Binderhub

BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration. Users are advised to update to version 0.2.0-n653. If users are unable to update they may disable the git repo provider by specifying the `BinderHub.repo_providers` as a workaround.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

BinderHub 操作系统命令注入漏洞

BinderHub是一个基于kubernetes的云服务，允许用户从代码库共享可复制的交互计算环境。 BinderHub 存在操作系统命令注入漏洞。攻击者可利用该漏洞在BinderHub上下文中执行代码，并有可能解析出BinderHub部署的凭据，包括JupyterHub API令牌、kubernetes服务帐户和docker注册表凭据。建议用户更新至版本0.2.0-n653

N/A

N/A