Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features.
6.5CVSS
6.2AI Score
0.001EPSS
Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks.
7.8CVSS
7.2AI Score
0.0004EPSS
An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The ma...
8.8CVSS
8.6AI Score
0.002EPSS
Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.
7.5CVSS
7.3AI Score
0.003EPSS
Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically val...
7.5CVSS
7.4AI Score
0.002EPSS
7.5CVSS
7.3AI Score
0.002EPSS
Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.
7.5CVSS
7.6AI Score
0.002EPSS
Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs, it is possible to overwrite/create any files on the host filesystem during the extraction with a craf...
9.3CVSS
8.7AI Score
0.003EPSS
Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.
8.1CVSS
8.2AI Score
0.002EPSS
Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.
8.8CVSS
8.1AI Score
0.003EPSS
Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used.
5.5CVSS
5.4AI Score
0.0005EPSS
SIF is an open source implementation of the Singularity Container Image Format. The siftool new command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid module used as a dependency. A patch is available in version...
7.5CVSS
7.5AI Score
0.003EPSS
Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylab...
6.3CVSS
6.2AI Score
0.002EPSS
9.8CVSS
9.4AI Score
0.002EPSS
Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Function's Return Value.
9.8CVSS
9.4AI Score
0.002EPSS
github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectl...
7.6CVSS
7.3AI Score
0.001EPSS
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the github.com/sylabs/sif/v2/pkg/integrity package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >...
9.8CVSS
9.3AI Score
0.002EPSS
Apptainer is an open source container platform for Linux. There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer < 1.1.0 and installations that include apptainer-suid < 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat ...
7.8CVSS
7.4AI Score
0.001EPSS