CVE-2018-19295
Description
Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper input validation in Singularity 2.4-2.6 allows local users to bypass security restrictions via crafted commands.
Vulnerability
Sylabs Singularity versions 2.4 through 2.6 contain an improper input validation vulnerability [1][2]. The issue allows local users to perform actions that should be restricted, such as mounting instances, joining instances, and starting daemon processes from action commands [4]. The flaw was addressed in version 2.6.1, which disables instance features for mount commands, disables instance join for the start command, and disables daemon start for action commands [4].
Exploitation
An attacker must have local access to a system running an affected version of Singularity (2.4 to 2.6) [1][2]. No special privileges are required beyond being a legitimate user of the container platform. The attacker can exploit the improper input validation by crafting specific commands that trigger the unintended behavior, such as using instance-related commands in ways that bypass intended restrictions [4].
Impact
Successful exploitation allows a local user to perform actions that the software should have prevented, such as mounting instances or starting daemon processes from action commands [4]. This can lead to privilege escalation or violation of security policies, potentially enabling the attacker to gain unauthorized access to resources or compromise the integrity of the container runtime environment.
Mitigation
The vulnerability is fixed in Singularity version 2.6.1, released on December 11, 2018 [3][4]. Users should upgrade to this version or later. As of the publication date (2018-12-17), no workarounds were documented in the available references. Users still on unsupported versions should upgrade immediately.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sylabs/singularityGo | >= 2.4.0, < 2.6.1 | 2.6.1 |
Affected products
5- ghsa-coords5 versionspkg:golang/github.com/sylabs/singularitypkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/singularity&distro=openSUSE%20Tumbleweedpkg:rpm/suse/singularity&distro=SUSE%20Package%20Hub%2012%20SP3pkg:rpm/suse/singularity&distro=SUSE%20Package%20Hub%2015
>= 2.4.0, < 2.6.1+ 4 more
- (no CPE)range: >= 2.4.0, < 2.6.1
- (no CPE)range: < 2.6.1-bp150.3.6.1
- (no CPE)range: < 3.8.3-1.2
- (no CPE)range: < 2.6.1-14.1
- (no CPE)range: < 2.6.1-bp150.3.6.1
Patches
19103f0155259updating files for 2.6.1 release
3 files changed · +14 −1
CHANGELOG.md+6 −0 modified@@ -12,6 +12,12 @@ and changes prior to that are (unfortunately) done retrospectively. Critical ite - migration guidance (how to convert images?) - changed behaviour (recipe sections work differently) +## [v2.6.1] + +### [Security related fixes](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1929) + - disables instance features for mount commands, disables instance join for + start command, and disables daemon start for action commands + ## [v2.6.0] ### Bug fixes
configure.ac+1 −1 modified@@ -1,5 +1,5 @@ AC_PREREQ(2.59) -AC_INIT([singularity],[2.6.0],[gmkurtzer@gmail.com]) +AC_INIT([singularity],[2.6.1],[gmkurtzer@gmail.com]) if test -z "$prefix" -o "$prefix" = "NONE" ; then prefix=${ac_default_prefix}
debian/changelog+7 −0 modified@@ -1,3 +1,10 @@ +singularity-container (2.6.1-1) unstable; urgency=high + + * disables instance features for mount commands, disables instance join for + start command, and disables daemon start for action commands + + -- Gregory M. Kurtzer <gmkurtzer@gmail.com> Tue, 11 Dec 2018 09:25:53 -0700 + singularity-container (2.6.0-1) unstable; urgency=high * Allow admin to specify a non-standard location for mksquashfs binary at
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-p83v-8vmr-qfv9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19295ghsaADVISORY
- github.com/sylabs/singularity/commit/9103f0155259fdf1159277bca3c2d347571cba0dghsaWEB
- github.com/sylabs/singularity/releases/tag/2.6.1ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.