CVE-2020-25040
Description
Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Singularity through 3.6.2 has insecure permissions on temporary directories during container builds, allowing local users to read image contents or inject arbitrary content.
Vulnerability
Description
Sylabs Singularity through version 3.6.2 contains a vulnerability related to insecure permissions on temporary directories used during explicit and implicit container build operations [1][2]. This issue is distinct from CVE-2020-25039 [1].
Attack
Vector and Prerequisites
A local user with access to the system can exploit this by reading the contents of the container image while it is being built [2]. Furthermore, if the image itself contains a world-writable file or directory, an attacker can inject arbitrary content into the build process [2]. This injection can potentially lead to arbitrary code execution during the build or when the resulting container is run [2].
Impact
The impact includes unauthorized disclosure of sensitive image data and, in the presence of world-writable elements, arbitrary code execution with the privileges of the build process [2]. This could compromise the integrity of the built container and the host system.
Mitigation
Singularity 3.6.3 addresses this vulnerability [2]. Users are advised to upgrade immediately [2]. As a workaround, setting the TMPDIR environment variable to a directory accessible only by the user can mitigate the issue, but this is difficult to enforce and not recommended as a primary fix [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sylabs/singularityGo | < 3.6.3 | 3.6.3 |
Affected products
6- Sylabs/Singularitydescription
- ghsa-coords5 versionspkg:golang/github.com/sylabs/singularitypkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/singularity&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/singularity&distro=openSUSE%20Tumbleweedpkg:rpm/suse/singularity&distro=SUSE%20Package%20Hub%2015%20SP2
< 3.6.3+ 4 more
- (no CPE)range: < 3.6.3
- (no CPE)range: < 3.6.3-lp152.2.6.1
- (no CPE)range: < 3.6.3-lp152.2.6.1
- (no CPE)range: < 3.8.3-1.2
- (no CPE)range: < 3.6.3-bp152.2.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-jv9c-w74q-6762ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-25040ghsaADVISORY
- github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762ghsax_refsource_MISCWEB
- medium.com/sylabsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.