CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS
Percentile
54.3%
A dependency used to extract docker/OCI image layers can be tricked into modifying host files by creating a malicious layer that has a symlink with the name “.” (or “/”), when running as root. (CVE-2021-29136) Dde to incorrect use of a default URL, singularity
action commands (run
/shell
/exec
) specifying a container using a library://
URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io
) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (run
/shell
/exec
) against library://
URIs are affected. Other commands such as pull
/ push
respect the configured remote endpoint. (CVE-2021-32635) If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. (CVE-2021-41190)
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 8 | noarch | singularity | < 3.8.5-1 | singularity-3.8.5-1.mga8 |
bugs.mageia.org/show_bug.cgi?id=29027
github.com/sylabs/singularity/releases/tag/v3.7.4
lists.fedoraproject.org/archives/list/[email protected]/thread/BMX7XV7YNNNOVKKIOOPNENIXY64H4ZEY/
lists.fedoraproject.org/archives/list/[email protected]/thread/D2IU6GJMCV5CQKUQZLHBP6EHSIZZXC3X/
lists.opensuse.org/archives/list/[email protected]/thread/L3AGIEOXZIUUEYYMWKJCJCQI7V235UTR/
lists.opensuse.org/archives/list/[email protected]/thread/U5WJLLGD3LSUWRS73C4NPIWYTMST4QO5/
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS
Percentile
54.3%