CVE-2020-13846
Description
Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sylabs Singularity 3.5.0–3.5.3 fails to report an error exit code when `verify --all` encounters unsigned or unverifiable objects, allowing untrusted containers to be accepted as verified.
Root
Cause CVE-2020-13846 affects Sylabs Singularity versions 3.5.0 through 3.5.3. The singularity verify command with the --all (or -a) option returns a successful exit code (0) and prints a "Container Verified" message even when some objects within a SIF container are not signed or cannot be verified. Warnings are logged for unverified objects, but the command does not treat these as failures [1][3].
Attack
Surface A remote or local attacker can craft a SIF container that contains unsigned or modified objects. If a workflow relies on the exit code of singularity verify --all as a sole indicator of container integrity, the attacker’s container will be accepted as verified despite containing untrusted components. No authentication or special privileges are required beyond access to run the singularity verify command on the crafted image [3].
Impact
Successful exploitation allows an attacker to introduce unsigned or modified objects into a SIF container that the verification process incorrectly marks as fully verified. A downstream user or automated system that trusts the exit code may then run an untrusted container, potentially leading to arbitrary code execution or other malicious behavior within the container environment.
Mitigation
The issue is fixed in Singularity 3.6.0, which introduces a new sign/verify implementation that correctly returns a non-zero exit code when verification fails. Users are advised to upgrade to 3.6.0. For those who cannot upgrade, a workaround is not to rely on the exit code of singularity verify --all as an indicator of trust. Note that Singularity 3.5.x cannot verify containers signed with the new format, and version 3.6.0 includes a --legacy-insecure flag for compatibility with older signatures [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sylabs/singularityGo | >= 3.5.0, < 3.6.0 | 3.6.0 |
Affected products
6- Sylabs/Singularitydescription
- ghsa-coords5 versionspkg:golang/github.com/sylabs/singularitypkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/singularity&distro=openSUSE%20Tumbleweedpkg:rpm/suse/singularity&distro=SUSE%20Package%20Hub%2015%20SP2
>= 3.5.0, < 3.6.0+ 4 more
- (no CPE)range: >= 3.5.0, < 3.6.0
- (no CPE)range: < 3.6.0-lp151.2.6.1
- (no CPE)range: < 3.6.0-lp152.2.3.1
- (no CPE)range: < 3.8.3-1.2
- (no CPE)range: < 3.6.0-bp152.2.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-6w7g-p4jh-rf92ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13846ghsaADVISORY
- github.com/hpcng/singularity/security/advisories/GHSA-6w7g-p4jh-rf92ghsax_refsource_MISCWEB
- medium.com/sylabsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.