rpm package
opensuse/singularity&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/singularity&distro=openSUSE%20Tumbleweed
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-41190 | — | < 3.8.5-1.1 | 3.8.5-1.1 | Nov 17, 2021 | The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operat | ||
| CVE-2021-32635 | — | < 3.8.3-1.2 | 3.8.3-1.2 | May 28, 2021 | Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default | ||
| CVE-2021-29136 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Apr 6, 2021 | Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. | ||
| CVE-2020-15229 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Oct 14, 2020 | Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the e | ||
| CVE-2020-25040 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Sep 16, 2020 | Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039. | ||
| CVE-2020-25039 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Sep 16, 2020 | Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution. | ||
| CVE-2020-13846 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Jul 14, 2020 | Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code. | ||
| CVE-2020-13845 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Jul 14, 2020 | Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cr | ||
| CVE-2020-13847 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Jul 14, 2020 | Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. | ||
| CVE-2019-19724 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Dec 18, 2019 | Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. | ||
| CVE-2019-11328 | — | < 3.8.3-1.2 | 3.8.3-1.2 | May 14, 2019 | An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing// | ||
| CVE-2018-19295 | — | < 3.8.3-1.2 | 3.8.3-1.2 | Dec 17, 2018 | Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks. | ||
| CVE-2018-12021 | Med | 6.5 | < 3.8.3-1.2 | 3.8.3-1.2 | Jul 5, 2018 | Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features. |
- CVE-2021-41190Nov 17, 2021affected < 3.8.5-1.1fixed 3.8.5-1.1
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operat
- CVE-2021-32635May 28, 2021affected < 3.8.3-1.2fixed 3.8.3-1.2
Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default
- CVE-2021-29136Apr 6, 2021affected < 3.8.3-1.2fixed 3.8.3-1.2
Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used.
- CVE-2020-15229Oct 14, 2020affected < 3.8.3-1.2fixed 3.8.3-1.2
Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the e
- CVE-2020-25040Sep 16, 2020affected < 3.8.3-1.2fixed 3.8.3-1.2
Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.
- CVE-2020-25039Sep 16, 2020affected < 3.8.3-1.2fixed 3.8.3-1.2
Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.
- CVE-2020-13846Jul 14, 2020affected < 3.8.3-1.2fixed 3.8.3-1.2
Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.
- CVE-2020-13845Jul 14, 2020affected < 3.8.3-1.2fixed 3.8.3-1.2
Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cr
- CVE-2020-13847Jul 14, 2020affected < 3.8.3-1.2fixed 3.8.3-1.2
Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.
- CVE-2019-19724Dec 18, 2019affected < 3.8.3-1.2fixed 3.8.3-1.2
Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.
- CVE-2019-11328May 14, 2019affected < 3.8.3-1.2fixed 3.8.3-1.2
An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing//
- CVE-2018-19295Dec 17, 2018affected < 3.8.3-1.2fixed 3.8.3-1.2
Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks.
- affected < 3.8.3-1.2fixed 3.8.3-1.2
Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features.