GHSA-9jjr-qqfp-ppwx

Опубликовано: 30 авг. 2021

Источник: github

Github: Прошло ревью

CVSS4: 9.4

CVSS3: 9.6

Описание

remote code execution via git repo provider

Impact

A remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration.

Patches

Patch below, or on GitHub

From 9f4043d9dddc1174920e687773f27b7933f48ab6 Mon Sep 17 00:00:00 2001 From: Riccardo Castellotti <rcastell@cern.ch> Date: Thu, 19 Aug 2021 15:49:43 +0200 Subject: [PATCH] Explicitly separate git-ls-remote options from positional arguments --- binderhub/repoproviders.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/binderhub/repoproviders.py b/binderhub/repoproviders.py index f33347b..5d4b87c 100755 --- a/binderhub/repoproviders.py +++ b/binderhub/repoproviders.py @@ -484,7 +484,7 @@ class GitRepoProvider(RepoProvider): self.sha1_validate(self.unresolved_ref) except ValueError: # The ref is a head/tag and we resolve it using `git ls-remote` - command = ["git", "ls-remote", self.repo, self.unresolved_ref] + command = ["git", "ls-remote", "--", self.repo, self.unresolved_ref] result = subprocess.run(command, universal_newlines=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) if result.returncode: raise RuntimeError("Unable to run git ls-remote to get the `resolved_ref`: {}".format(result.stderr)) -- 2.25.1

Workarounds

Disable the git repo provider by specifying the BinderHub.repo_providers config, e.g.:

from binderhub.repoproviders import (GitHubRepoProvider, GitLabRepoProvider, GistRepoProvider, ZenodoProvider, FigshareProvider, HydroshareProvider, DataverseProvider) c.BinderHub.repo_providers = { 'gh': GitHubRepoProvider, 'gist': GistRepoProvider, 'gl': GitLabRepoProvider, 'zenodo': ZenodoProvider, 'figshare': FigshareProvider, 'hydroshare': HydroshareProvider, 'dataverse': DataverseProvider, }

References

Credit: Jose Carlos Luna Duran (CERN) and Riccardo Castellotti (CERN).

For more information

If you have any questions or comments about this advisory:

Email us at security@ipython.org

Ссылки

Пакеты

Наименование

binderhub

pip

Затронутые версииВерсия исправления

< 0.2.0

0.2.0

EPSS

Процентиль: 80%

0.01322

Низкий

9.4 Critical

CVSS4

9.6 Critical

CVSS3

CVE ID

CVE-2021-39159

Дефекты

CWE-78

CWE-94

Связанные уязвимости

CVE-2021-39159

CVSS3: 9.6

nvd

больше 4 лет назад

BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration. Users are advised to update to version 0.2.0-n653. If users are unable to update they may disable the git repo provider by specifying the `BinderHub.repo_providers` as a workaround.

BDU:2021-05133

CVSS3: 9.8

fstec

больше 4 лет назад

Уязвимость программного проекта для упаковки и совместного использования интерактивных воспроизводимых сред BinderHub, связанная с неверным управлением генерацией кода, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 80%

0.01322

Низкий

9.4 Critical

CVSS4

9.6 Critical

CVSS3

CVE ID

CVE-2021-39159

Дефекты

CWE-78

CWE-94