Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-M5M3-46GJ-WCH8
HistoryOct 06, 2022 - 7:54 p.m.

SIF's Digital Signature Hash Algorithms Not Validated

2022-10-0619:54:55
CWE-327
CWE-347
GitHub Advisory Database
github.com
13

0.002 Low

EPSS

Percentile

59.1%

JSON

Impact

The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

Patches

A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.

The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa

Workarounds

Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

For more information

If you have any questions or comments about this advisory:

CPENameOperatorVersion
github.com/sylabs/sif/v2lt2.8.1

Related

osv 5
nessus 11
gentoo 1
cvelist 4
ubuntucve 3
fortinet 1
veracode 3
cnvd 1
debiancve 2
alpinelinux 1
cve 4
openvas 14
f5 2
fedora 2
ubuntu 1
prion 3
redhatcve 1
github 1
suse 1
redhat 1
ics 1
oracle 1
osv
osv
SIF's Digital Signature Hash Algorithms Not Validated
2022-10-06 19:54:55
Improper validation of signature hash algorithms in github.com/sylabs/sif/v2
2022-10-21 15:34:36
CVE-2022-39237
2022-10-06 18:16:10
nessus
nessus
SSL Certificate Signed Using Weak Hashing Algorithm
2009-01-05 00:00:00
SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)
2016-12-08 00:00:00
GLSA-202210-19 : Apptainer: Lack of Digital Signature Hash Verification
2022-10-31 00:00:00
gentoo
gentoo
Apptainer: Lack of Digital Signature Hash Verification
2022-10-31 00:00:00
cvelist
cvelist
CVE-2022-39237 Digital Signature Hash Algorithms Not Validated in sylabs/sif
2022-10-06 00:00:00
CVE-2005-4900
2016-10-14 16:00:00
CVE-2004-2761
2009-01-05 20:00:00
ubuntucve
ubuntucve
CVE-2022-39237
2022-10-06 00:00:00
CVE-2004-2761
2009-01-05 00:00:00
CVE-2019-16370
2019-09-16 00:00:00
fortinet
fortinet
FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance
2018-05-16 00:00:00
veracode
veracode
Collision Attack
2017-08-14 04:39:15
Improper Verification Of Cryptographic Signatures
2022-10-07 09:37:48
Spoofing Attacks
2020-04-10 00:55:19
cnvd
cnvd
Singularity Image Format Encryption Problem Vulnerability
2022-10-10 00:00:00
debiancve
debiancve
CVE-2022-39237
2022-10-06 18:16:00
CVE-2019-16370
2019-09-16 18:15:00
alpinelinux
alpinelinux
CVE-2022-39237
2022-10-06 18:16:00
cve
cve
CVE-2022-39237
2022-10-06 18:16:00
CVE-2005-4900
2016-10-14 16:59:00
CVE-2004-2761
2009-01-05 20:30:02
openvas
openvas
Fedora Core 9 FEDORA-2009-1276 (nss)
2009-02-10 00:00:00
Ubuntu USN-740-1 (firefox)
2009-03-20 00:00:00
Ubuntu: Security Advisory (USN-740-1)
2009-03-19 00:00:00
f5
f5
SOL15578 - MD5 Message-Digest Algorithm vulnerability CVE-2004-2761
2014-09-11 00:00:00
K15578 : MD5 Message-Digest Algorithm vulnerability CVE-2004-2761
2014-09-11 00:00:00
fedora
fedora
[SECURITY] Fedora 10 Update: nss-3.12.2.0-4.fc10
2009-02-05 02:15:23
[SECURITY] Fedora 9 Update: nss-3.12.2.0-2.fc9
2009-02-05 02:13:54
ubuntu
ubuntu
NSS vulnerability
2009-03-17 00:00:00
prion
prion
Design/Logic Flaw
2022-10-06 18:16:00
Denial of service
2019-09-16 18:15:00
Design/Logic Flaw
2016-09-18 02:59:00
redhatcve
redhatcve
CVE-2019-16370
2019-10-07 06:36:52
github
github
Use of a weak cryptographic algorithm in Gradle
2022-05-24 16:56:18
suse
suse
Security update for subversion (important)
2017-08-17 00:09:05
redhat
redhat
(RHSA-2010:0838) Moderate: pki security and enhancement update
2010-11-08 00:00:00
ics
ics
Philips Intellispace Portal ISP Vulnerabilities
2018-02-27 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

0.002 Low

EPSS

Percentile

59.1%

JSON
Related for GHSA-M5M3-46GJ-WCH8
osv5nessus11gentoo1cvelist4ubuntucve3fortinet1veracode3cnvd1debiancve2alpinelinux1cve4openvas14f52fedora2ubuntu1prion3redhatcve1github1suse1redhat1ics1oracle1