DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2021-29499", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-29499", "description": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.", "published": "2021-05-07T21:15:00", "modified": "2021-05-19T18:53:00", "epss": [{"cve": "CVE-2021-29499", "epss": 0.00205, "percentile": 0.57128, "modified": "2023-05-27"}], "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29499", "reporter": "security-advisories@github.com", "references": ["https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg"], "cvelist": ["CVE-2021-29499"], "immutableFields": [], "lastseen": "2023-05-27T14:37:16", "viewCount": 21, "enchantments": {"dependencies": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-29499"]}, {"type": "github", "idList": ["GHSA-4GH8-X3VV-PHHG"]}, {"type": "osv", "idList": ["OSV:GHSA-4GH8-X3VV-PHHG"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-29499"]}], "rev": 4}, "score": {"value": 2.7, "vector": "NONE"}, "twitter": {"counter": 4, "modified": "2021-05-13T07:35:55", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1395123451061489671", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-29499 (singularity_image_format)) has been published on https://t.co/stUMeTrbIt?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1395123451061489671", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-29499 (singularity_image_format)) has been published on https://t.co/stUMeTrbIt?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1395123472355954688", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-29499 (singularity_image_format)) has been published on https://t.co/zNqN13nNSF?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1395123472355954688", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-29499 (singularity_image_format)) has been published on https://t.co/zNqN13nNSF?amp=1"}]}, "backreferences": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-29499"]}, {"type": "github", "idList": ["GHSA-4GH8-X3VV-PHHG"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-29499"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "sylabs singularity image format", "version": 1}]}, "epss": [{"cve": "CVE-2021-29499", "epss": 0.00205, "percentile": 0.57032, "modified": "2023-05-07"}], "vulnersScore": 2.7}, "_state": {"dependencies": 1685211539, "score": 1685200094, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "c81878ef0d41cd56a6f4a26a37d47442"}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "score": 7.5}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-330"], "affectedSoftware": [{"cpeName": "sylabs:singularity_image_format", "version": "1.2.3", "operator": "lt", "name": "sylabs singularity image format"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sylabs:singularity_image_format:1.2.3:*:*:*:*:*:*:*", "versionEndExcluding": "1.2.3", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg", "name": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg", "refsource": "CONFIRM", "tags": ["Exploit", "Third Party Advisory"]}], "product_info": [{"vendor": "sylabs", "product": "sif"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "exploits": []}

{"osv": [{"lastseen": "2023-01-10T16:37:01", "description": "### Impact\n\nThe `siftool new` command and [func siftool.New()](https://pkg.go.dev/github.com/sylabs/sif/pkg/siftool#New) produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.\n\n### Patches\n\nA patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.\n\nThe patch is commit https://github.com/sylabs/sif/commit/193962882122abf85ff5f5bcc86404933e71c07d\n\n### Workarounds\nUsers passing [CreateInfo struct](https://pkg.go.dev/github.com/sylabs/sif/pkg/sif#CreateInfo) should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:\n\n```\ngo get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557\n```\n\n### References\n* https://github.com/satori/go.uuid/issues/73\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new)\n* Email us at [security@sylabs.io](mailto:security@sylabs.io)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-18T18:30:38", "type": "osv", "title": "Predictable SIF UUID Identifiers in github.com/sylabs/sif", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29499"], "modified": "2023-01-10T16:09:36", "id": "OSV:GHSA-4GH8-X3VV-PHHG", "href": "https://osv.dev/vulnerability/GHSA-4gh8-x3vv-phhg", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "github": [{"lastseen": "2023-05-27T15:15:55", "description": "### Impact\n\nThe `siftool new` command and [func siftool.New()](https://pkg.go.dev/github.com/sylabs/sif/pkg/siftool#New) produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.\n\n### Patches\n\nA patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.\n\nThe patch is commit https://github.com/sylabs/sif/commit/193962882122abf85ff5f5bcc86404933e71c07d\n\n### Workarounds\nUsers passing [CreateInfo struct](https://pkg.go.dev/github.com/sylabs/sif/pkg/sif#CreateInfo) should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:\n\n```\ngo get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557\n```\n\n### References\n* https://github.com/satori/go.uuid/issues/73\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new)\n* Email us at [security@sylabs.io](mailto:security@sylabs.io)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-18T18:30:38", "type": "github", "title": "Predictable SIF UUID Identifiers in github.com/sylabs/sif", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29499"], "modified": "2023-02-03T05:00:50", "id": "GHSA-4GH8-X3VV-PHHG", "href": "https://github.com/advisories/GHSA-4gh8-x3vv-phhg", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2023-05-27T15:13:22", "description": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T21:15:00", "type": "debiancve", "title": "CVE-2021-29499", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29499"], "modified": "2021-05-07T21:15:00", "id": "DEBIANCVE:CVE-2021-29499", "href": "https://security-tracker.debian.org/tracker/CVE-2021-29499", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "ubuntucve": [{"lastseen": "2023-05-28T13:30:18", "description": "SIF is an open source implementation of the Singularity Container Image\nFormat. The `siftool new` command and func siftool.New() produce\npredictable UUID identifiers due to insecure randomness in the version of\nthe `github.com/satori/go.uuid` module used as a dependency. A patch is\navailable in version >= v1.2.3 of the module. Users are encouraged to\nupgrade. As a workaround, users passing CreateInfo struct should ensure the\n`ID` field is generated using a version of `github.com/satori/go.uuid` that\nis not vulnerable to this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T00:00:00", "type": "ubuntucve", "title": "CVE-2021-29499", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29499"], "modified": "2021-05-07T00:00:00", "id": "UB:CVE-2021-29499", "href": "https://ubuntu.com/security/CVE-2021-29499", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}]}