15 matches found
CVE-2021-29136
CVE-2021-29136 affects Open Container Initiative tool umoci before 0.4.7. A crafted image can trigger symlink traversal during “umoci unpack” or “umoci raw unpack,” allowing an attacker to overwrite arbitrary host paths by manipulating the layer’s contents. Several advisories (openSUSE/SUSE) docu...
CVE-2019-19724
CVE-2019-19724 affects Singularity 3.3.0–3.5.1, where newly created $HOME/.singularity could have insecure permissions (777), enabling information disclosure and malicious redirection of operations against Sylabs cloud services. Publicly available connected documents show openSUSE advisories (ope...
CVE-2020-13846
CVE-2020-13846 affects Sylabs Singularity 3.5.0–3.5.3, where the verify command (e.g., --all/-a) reports success for containers or objects that are not signed or cannot be verified. Public advisories from openSUSE/SUSE indicate this vulnerability exists in Singularity 3.x below 3.6.0 and was fixe...
CVE-2020-25040
CVE-2020-25040 affects Sylabs Singularity prior to 3.6.3, with insecure permissions on temporary directories during container build operations, enabling a logged-in user to read image contents and potentially inject content if world-writable files exist. Public advisories (openSUSE/SLE updates) s...
CVE-2020-25039
CVE-2020-25039 affects Sylabs Singularity from version 3.2.0 through 3.6.2, where insecure permissions on temporary directories used during fakeroot or user namespace container execution can allow read access to image contents. The issue is addressed in Singularity 3.6.3; openSUSE advisories HS i...
CVE-2019-11328
CVE-2019-11328 affects Singularity 3.1.0–3.2.0-rc2, where insecure permissions in /run/singularity/instances/sing// could allow a local attacker to influence starter-suid and escalate privileges on the host. Public documents indicate a remediation path via upgrading to a newer Singularity release...
CVE-2020-13845
CVE-2020-13845 affects Sylabs Singularity 3.0–3.5. The vulnerability is improper validation of an integrity check value: image integrity is not validated when an ECL policy is enforced, because the fingerprint is compared against the SIF descriptor instead of a cryptographically validated signatu...
CVE-2020-15229
CVE-2020-15229 affects Singularity 3.1.1–3.6.3 due to insecure handling of path traversal and missing path sanitization in unsquashfs. When extracting a crafted squashfs filesystem, unprivileged execution (–without-suid or allow setuid = no) can overwrite or create files on the host, with the ext...
CVE-2020-13847
CVE-2020-13847 affects Sylabs Singularity 3.0–3.5 where the signing/verification code does not sign metadata in the SIF global header or data-object descriptors, allowing signed containers to potentially behave unexpectedly if modified. Public advisories (openSUSE/SUSE) note a fix in Singularity ...
CVE-2021-32635
Summary (CVE-2021-32635) : Singularity (open source container platform) versions 3.7.2–3.7.3 expose a flaw where action commands using a library:// URI ignore the configured remote endpoint and always fetch from the default endpoint cloud.sylabs.io. This can allow an attacker to push a malicious ...
CVE-2018-12021
CVE-2018-12021 affects Singularity releases 2.3.0–2.5.1, where an overlay filesystem access-control flaw may let a malicious user access sensitive information. Public references in OSV/GHSA show fixes in later releases (2.6.x), e.g., 2.6.0/2.6.1, addressing the overlay-propagation and access-cont...
CVE-2018-19295
CVE-2018-19295 affects Sylabs Singularity 2.4–2.6. The issue is tied to improper handling of mount namespaces, enabling local users to escalate privileges due to how mount points were joined or propagated. Public records in OSV/USN/SUSE advisories indicate a fix in Singularity 2.6.1 (openSUSE/SUS...
CVE-2023-30549
CVE-2023-30549 (Apptainer ext4 use-after-free) Affects Apptainer < 1.1.0 with apptainer-suid
CVE-2021-33622
CVE-2021-33622 affects Sylabs Singularity 3.5.x, 3.6.x, and SingularityPRO before 3.5-8. Root cause: an incorrect check of a function’s return value. This leads to potential improper handling of return codes in that code path. Remediation in the connected sources is to upgrade to Singularity 3.5-...
CVE-2021-33027
The CVE-2021-33027 entry concerns Sylabs Singularity Enterprise