CVE-2023-48311 — DockerSpawner allows any image by default

Description

### Impact Users of JupyterHub deployments running DockerSpawner starting with 0.11.0 without specifying `DockerSpawner.allowed_images` configuration allow users to launch _any_ pullable image, instead of restricting to only the single configured image, as intended. ### Patches Upgrade to DockerSpawner 13. ### Workarounds Explicitly setting `DockerSpawner.allowed_images` to a non-empty list containing only the default image will result in the intended default behavior: ```python c.DockerSpawner.image = "your-image" c.DockerSpawner.allowed_images = ["your-image"] ```

How to fix CVE-2023-48311

To remediate CVE-2023-48311, upgrade the affected package to a fixed version below.

—upgrade to 13.0.0 or later

Is CVE-2023-48311 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.11.0, < 13.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-48311
PATCHgithub.com/jupyterhub/dockerspawner
WEBgithub.com/jupyterhub/dockerspawner/commit/3ba4b665b6ca6027ea7a032d7ca3eab977574626
WEBgithub.com/jupyterhub/dockerspawner/security/advisories/GHSA-hfgr-h3vc-p6c2