Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-M5M3-46GJ-WCH8
HistoryOct 06, 2022 - 7:54 p.m.

SIF's Digital Signature Hash Algorithms Not Validated

2022-10-0619:54:55
CWE-327
CWE-347
GitHub Advisory Database
github.com
10

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

53.5%

JSON

Impact

The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

Patches

A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.

The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa

Workarounds

Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

For more information

If you have any questions or comments about this advisory:

CPENameOperatorVersion
github.com/sylabs/sif/v2lt2.8.1

Related

osv 5
nessus 11
ubuntucve 3
fortinet 1
veracode 3
gentoo 1
cve 5
fedora 2
openvas 14
cnvd 1
alpinelinux 1
debiancve 2
f5 2
ubuntu 1
prion 3
redhatcve 1
github 1
suse 1
redhat 1
ics 1
oracle 1
osv
osv
SIF's Digital Signature Hash Algorithms Not Validated
2022-10-06 19:54:55
Improper validation of signature hash algorithms in github.com/sylabs/sif/v2
2022-10-21 15:34:36
CVE-2022-39237
2022-10-06 18:16:10
nessus
nessus
SSL Certificate Signed Using Weak Hashing Algorithm
2009-01-05 00:00:00
Fedora 9 : nss-3.12.2.0-2.fc9 (2009-1276)
2009-02-05 00:00:00
Fedora 10 : nss-3.12.2.0-4.fc10 (2009-1291)
2009-04-23 00:00:00
ubuntucve
ubuntucve
CVE-2022-39237
2022-10-06 00:00:00
CVE-2004-2761
2009-01-05 00:00:00
CVE-2019-16370
2019-09-16 00:00:00
fortinet
fortinet
FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance
2018-05-16 00:00:00
veracode
veracode
Collision Attack
2017-08-14 04:39:15
Spoofing Attacks
2020-04-10 00:55:19
Improper Verification Of Cryptographic Signatures
2022-10-07 09:37:48
gentoo
gentoo
Apptainer: Lack of Digital Signature Hash Verification
2022-10-31 00:00:00
cve
cve
CVE-2005-4900
2016-10-14 16:59:00
CVE-2022-39237
2022-10-06 18:16:00
CVE-2004-2761
2009-01-05 20:30:00
fedora
fedora
[SECURITY] Fedora 9 Update: nss-3.12.2.0-2.fc9
2009-02-05 02:13:54
[SECURITY] Fedora 10 Update: nss-3.12.2.0-4.fc10
2009-02-05 02:15:23
openvas
openvas
Fedora Core 10 FEDORA-2009-1291 (nss)
2009-02-10 00:00:00
Fedora Core 9 FEDORA-2009-1276 (nss)
2009-02-10 00:00:00
Fedora Core 9 FEDORA-2009-1276 (nss)
2009-02-10 00:00:00
cnvd
cnvd
Singularity Image Format Encryption Problem Vulnerability
2022-10-10 00:00:00
alpinelinux
alpinelinux
CVE-2022-39237
2022-10-06 18:16:00
debiancve
debiancve
CVE-2022-39237
2022-10-06 18:16:00
CVE-2019-16370
2019-09-16 18:15:00
f5
f5
SOL15578 - MD5 Message-Digest Algorithm vulnerability CVE-2004-2761
2014-09-11 00:00:00
K15578 : MD5 Message-Digest Algorithm vulnerability CVE-2004-2761
2014-09-11 00:00:00
ubuntu
ubuntu
NSS vulnerability
2009-03-17 00:00:00
prion
prion
Design/Logic Flaw
2022-10-06 18:16:00
Denial of service
2019-09-16 18:15:00
Design/Logic Flaw
2016-09-18 02:59:00
redhatcve
redhatcve
CVE-2019-16370
2019-10-07 06:36:52
github
github
Use of a weak cryptographic algorithm in Gradle
2022-05-24 16:56:18
suse
suse
Security update for subversion (important)
2017-08-17 00:09:05
redhat
redhat
(RHSA-2010:0838) Moderate: pki security and enhancement update
2010-11-08 00:00:00
ics
ics
Philips Intellispace Portal ISP Vulnerabilities
2018-02-27 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

53.5%

JSON
Related for GHSA-M5M3-46GJ-WCH8
osv5nessus11ubuntucve3fortinet1veracode3gentoo1cve5fedora2openvas14cnvd1alpinelinux1debiancve2f52ubuntu1prion3redhatcve1github1suse1redhat1ics1oracle1