CVE-2020-15110: 
Python vulnerability analysis and mitigation

CVE-2020-15110 affects jupyterhub-kubespawner versions before 0.12. The vulnerability allows certain usernames to craft particular server names which will grant them access to the default server of other users who have matching usernames. This vulnerability was discovered and disclosed on July 17, 2020 (GitHub Advisory).

The vulnerability exists due to improper handling of pod and PVC name templates. The issue specifically affects deployments using KubeSpawner ≤ 0.11.1 with named_servers enabled and an Authenticator that allows usernames with hyphens or other characters requiring escape. The CVSS v3.1 base score is 8.1 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) according to NVD assessment (NVD).

The vulnerability allows attackers to gain unauthorized access to other users' default servers if they have matching usernames up to but not including the escaped character (e.g., 'user' matching 'user-hyphen' or 'user@email'). This could lead to unauthorized access to sensitive data and potential manipulation of other users' server environments (GitHub Advisory).

The vulnerability is fixed in kubespawner version 0.12 and zero-to-jupyterhub 0.9.1. For users unable to upgrade immediately, a workaround is available by specifying custom pod_name_template and pvc_name_template configurations in KubeSpawner. However, this workaround will need to be removed when upgrading to maintain consistent pod and PVC naming (GitHub Advisory).