Moderate severityNVD Advisory· Published Oct 6, 2022· Updated Apr 23, 2025
Digital Signature Hash Algorithms Not Validated in sylabs/sif
CVE-2022-39237
Description
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the github.com/sylabs/sif/v2/pkg/integrity package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sylabs/sif/v2Go | < 2.8.1 | 2.8.1 |
Affected products
5- ghsa-coords4 versionspkg:golang/github.com/sylabs/sif/v2pkg:rpm/opensuse/apptainer&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/apptainer&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/singularity-ce&distro=openSUSE%20Tumbleweed
< 2.8.1+ 3 more
- (no CPE)range: < 2.8.1
- (no CPE)range: < 1.1.2-lp154.2.1
- (no CPE)range: < 1.1.2-1.1
- (no CPE)range: < 4.1.3-1.1
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-m5m3-46gj-wch8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39237ghsaADVISORY
- nvd.nist.gov/vuln/detail/cve-2004-2761ghsaADVISORY
- nvd.nist.gov/vuln/detail/cve-2005-4900ghsaADVISORY
- security.gentoo.org/glsa/202210-19ghsavendor-advisoryWEB
- github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaaghsaWEB
- github.com/sylabs/sif/releases/tag/v2.8.1ghsaWEB
- github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8ghsaWEB
- pkg.go.dev/vuln/GO-2022-1045ghsaWEB
News mentions
0No linked articles in our index yet.