Lucene search
GoogleOSV:GHSA-4GH8-X3VV-PHHGHistoryMay 18, 2021 - 6:30 p.m.
Predictable SIF UUID Identifiers in github.com/sylabs/sif
2021-05-1818:30:38
Google
osv.dev
11
EPSS
0.003
Percentile
70.0%
Impact
The siftool new command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid module used as a dependency.
Patches
A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.
The patch is commit https://github.com/sylabs/sif/commit/193962882122abf85ff5f5bcc86404933e71c07d
Workarounds
Users passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
go get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in github.com/sylabs/sif
- Email us at [email protected]
Related
osv
osv
CVE-2021-29499
2021-05-07 21:15:07
nvd
nvd
CVE-2021-29499
2021-05-07 21:15:07
debiancve
debiancve
CVE-2021-29499
2021-05-07 21:15:07
ubuntucve
ubuntucve
CVE-2021-29499
2021-05-07 00:00:00
cve
cve
CVE-2021-29499
2021-05-07 21:15:07
prion
prion
Command injection
2021-05-07 21:15:00
cvelist
cvelist
CVE-2021-29499 Predictable SIF UUID Identifiers
2021-05-07 20:50:09
github
github
Predictable SIF UUID Identifiers in github.com/sylabs/sif
2021-05-18 18:30:38