CVE-2020-13845
Description
Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sylabs Singularity 3.0-3.5 fails to validate image integrity when an Execution Control List (ECL) policy is enforced, allowing trivial bypass of signature verification.
Vulnerability
Details
CVE-2020-13845 affects Sylabs Singularity versions 3.0 through 3.5. The Execution Control List (ECL) mechanism is designed to enforce policies on which signed container images may run. However, the integrity check is improperly implemented: the fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file rather than against a cryptographically validated signature. This means the ECL does not actually verify that the image has not been tampered with since signing [1][2].
Exploitation
An attacker who can supply a malicious SIF container image to a system with ECL enabled can trivially bypass the policy. Because the fingerprint comparison is performed against the descriptor (which can be arbitrarily set) rather than a cryptographic signature, the attacker does not need access to the private key associated with the configured fingerprint. Crafting a payload that passes the ECL check is straightforward [2].
Impact
Successful exploitation allows an attacker to run arbitrary container images that violate the ECL policy. This undermines the security guarantees that ECL was intended to provide, potentially leading to unauthorized code execution or privilege escalation within the container environment [1][2].
Mitigation
The issue is fixed in Singularity 3.6.0. Users are strongly advised to upgrade. Note that version 3.6.0 introduces a new signature format that is incompatible with earlier versions. A legacyinsecure = true option is available in ecl.toml to temporarily support older signatures, but this does not restore integrity validation and should only be used as a transitional measure. No workaround exists if ECL is required and the system cannot be upgraded [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sylabs/singularityGo | >= 3.0.0, < 3.6.0 | 3.6.0 |
Affected products
6- Sylabs/Singularitydescription
- ghsa-coords5 versionspkg:golang/github.com/sylabs/singularitypkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/singularity&distro=openSUSE%20Tumbleweedpkg:rpm/suse/singularity&distro=SUSE%20Package%20Hub%2015%20SP2
>= 3.0.0, < 3.6.0+ 4 more
- (no CPE)range: >= 3.0.0, < 3.6.0
- (no CPE)range: < 3.6.0-lp151.2.6.1
- (no CPE)range: < 3.6.0-lp152.2.3.1
- (no CPE)range: < 3.8.3-1.2
- (no CPE)range: < 3.6.0-bp152.2.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-pmfr-63c2-jr5cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13845ghsaADVISORY
- github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5cghsax_refsource_MISCWEB
- medium.com/sylabsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.