CVE-2023-48311: 
Python vulnerability analysis and mitigation

CVE-2023-48311 affects JupyterHub deployments running DockerSpawner versions from 0.11.0 to version 13. The vulnerability allows authenticated users to launch any pullable Docker image instead of being restricted to only the configured image when the DockerSpawner.allowed_images configuration is not specified (GitHub Advisory, NVD).

The vulnerability stems from a configuration issue where DockerSpawner does not properly restrict the images that can be launched by users. When the DockerSpawner.allowed_images configuration is not set, the system allows users to launch any pullable Docker image instead of enforcing the intended restriction to a single configured image. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) by NIST and 8.0 (HIGH) by GitHub (NVD).

The vulnerability could allow authenticated users to execute arbitrary Docker containers, potentially leading to unauthorized access to resources, data exposure, or system compromise. The ability to run any pullable Docker image significantly expands the attack surface of affected JupyterHub deployments (GitHub Advisory).

The issue has been patched in dockerspawner release version 13. Users are advised to upgrade to this version. For those unable to upgrade, a workaround is available by explicitly setting DockerSpawner.allowed_images to a non-empty list containing only the default image. For example: c.DockerSpawner.image = "your-image" and c.DockerSpawner.allowed_images = ["your-image"] (GitHub Advisory).