Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote code execution in Binderhub
Vulnerability Description
BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration. Users are advised to update to version 0.2.0-n653. If users are unable to update they may disable the git repo provider by specifying the `BinderHub.repo_providers` as a workaround.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
BinderHub 操作系统命令注入漏洞
Vulnerability Description
BinderHub是一个基于kubernetes的云服务,允许用户从代码库共享可复制的交互计算环境。 BinderHub 存在操作系统命令注入漏洞。攻击者可利用该漏洞在BinderHub上下文中执行代码,并有可能解析出BinderHub部署的凭据,包括JupyterHub API令牌、kubernetes服务帐户和docker注册表凭据。建议用户更新至版本0.2.0-n653
CVSS Information
N/A
Vulnerability Type
N/A