Go modules package
github.com/sylabs/singularity
pkg:golang/github.com/sylabs/singularity
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-32635 | — | >= 3.7.2, < 3.7.4 | 3.7.4 | May 28, 2021 | Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default | ||
| CVE-2020-15229 | — | >= 3.1.1, < 3.6.4 | 3.6.4 | Oct 14, 2020 | Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the e | ||
| CVE-2020-25040 | — | < 3.6.3 | 3.6.3 | Sep 16, 2020 | Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039. | ||
| CVE-2020-25039 | — | >= 3.2.0, < 3.6.3 | 3.6.3 | Sep 16, 2020 | Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution. | ||
| CVE-2020-13846 | — | >= 3.5.0, < 3.6.0 | 3.6.0 | Jul 14, 2020 | Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code. | ||
| CVE-2020-13845 | — | >= 3.0.0, < 3.6.0 | 3.6.0 | Jul 14, 2020 | Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cr | ||
| CVE-2019-19724 | — | >= 3.3.0, < 3.5.2 | 3.5.2 | Dec 18, 2019 | Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. | ||
| CVE-2019-11328 | — | >= 3.1.0, < 3.2.0 | 3.2.0 | May 14, 2019 | An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing// | ||
| CVE-2018-19295 | — | >= 2.4.0, < 2.6.1 | 2.6.1 | Dec 17, 2018 | Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks. |
- CVE-2021-32635May 28, 2021affected >= 3.7.2, < 3.7.4fixed 3.7.4
Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default
- CVE-2020-15229Oct 14, 2020affected >= 3.1.1, < 3.6.4fixed 3.6.4
Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the e
- CVE-2020-25040Sep 16, 2020affected < 3.6.3fixed 3.6.3
Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.
- CVE-2020-25039Sep 16, 2020affected >= 3.2.0, < 3.6.3fixed 3.6.3
Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.
- CVE-2020-13846Jul 14, 2020affected >= 3.5.0, < 3.6.0fixed 3.6.0
Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.
- CVE-2020-13845Jul 14, 2020affected >= 3.0.0, < 3.6.0fixed 3.6.0
Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cr
- CVE-2019-19724Dec 18, 2019affected >= 3.3.0, < 3.5.2fixed 3.5.2
Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.
- CVE-2019-11328May 14, 2019affected >= 3.1.0, < 3.2.0fixed 3.2.0
An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing//
- CVE-2018-19295Dec 17, 2018affected >= 2.4.0, < 2.6.1fixed 2.6.1
Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks.