CVE-2021-29499

2021-05-07T00:00:00

Description

SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.

Affected Package

OS	OS Version	Package Name	Package Version
ubuntu	20.04	golang-github-sylabs-sif	any
ubuntu	22.04	golang-github-sylabs-sif	any
ubuntu	upstream	golang-github-sylabs-sif	any
ubuntu	upstream	golang-github-sylabs-sif	any
ubuntu	upstream	golang-github-sylabs-sif	any

{"id": "UB:CVE-2021-29499", "vendorId": null, "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2021-29499", "description": "SIF is an open source implementation of the Singularity Container Image\nFormat. The `siftool new` command and func siftool.New() produce\npredictable UUID identifiers due to insecure randomness in the version of\nthe `github.com/satori/go.uuid` module used as a dependency. A patch is\navailable in version >= v1.2.3 of the module. Users are encouraged to\nupgrade. As a workaround, users passing CreateInfo struct should ensure the\n`ID` field is generated using a version of `github.com/satori/go.uuid` that\nis not vulnerable to this issue.", "published": "2021-05-07T00:00:00", "modified": "2021-05-07T00:00:00", "epss": [{"cve": "CVE-2021-29499", "epss": 0.00205, "percentile": 0.57128, "modified": "2023-05-27"}], "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://ubuntu.com/security/CVE-2021-29499", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29499", "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg", "https://nvd.nist.gov/vuln/detail/CVE-2021-29499", "https://launchpad.net/bugs/cve/CVE-2021-29499", "https://security-tracker.debian.org/tracker/CVE-2021-29499"], "cvelist": ["CVE-2021-29499"], "immutableFields": [], "lastseen": "2023-05-28T13:30:18", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-29499"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-29499"]}, {"type": "github", "idList": ["GHSA-4GH8-X3VV-PHHG"]}, {"type": "osv", "idList": ["OSV:GHSA-4GH8-X3VV-PHHG"]}]}, "score": {"value": 7.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-29499"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-29499"]}, {"type": "github", "idList": ["GHSA-4GH8-X3VV-PHHG"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-29499", "epss": 0.00205, "percentile": 0.57032, "modified": "2023-05-07"}], "vulnersScore": 7.3}, "_state": {"dependencies": 1685280701, "score": 1685280776, "epss": 0}, "_internal": {"score_hash": "ec616097721bcb469a32d34c74cf1e05"}, "affectedPackage": [{"OS": "ubuntu", "OSVersion": "20.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "golang-github-sylabs-sif"}, {"OS": "ubuntu", "OSVersion": "22.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "golang-github-sylabs-sif"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "golang-github-sylabs-sif"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "golang-github-sylabs-sif"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "golang-github-sylabs-sif"}], "bugs": []}

{"osv": [{"lastseen": "2023-01-10T16:37:01", "description": "### Impact\n\nThe `siftool new` command and [func siftool.New()](https://pkg.go.dev/github.com/sylabs/sif/pkg/siftool#New) produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.\n\n### Patches\n\nA patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.\n\nThe patch is commit https://github.com/sylabs/sif/commit/193962882122abf85ff5f5bcc86404933e71c07d\n\n### Workarounds\nUsers passing [CreateInfo struct](https://pkg.go.dev/github.com/sylabs/sif/pkg/sif#CreateInfo) should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:\n\n```\ngo get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557\n```\n\n### References\n* https://github.com/satori/go.uuid/issues/73\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new)\n* Email us at [security@sylabs.io](mailto:security@sylabs.io)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-18T18:30:38", "type": "osv", "title": "Predictable SIF UUID Identifiers in github.com/sylabs/sif", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29499"], "modified": "2023-01-10T16:09:36", "id": "OSV:GHSA-4GH8-X3VV-PHHG", "href": "https://osv.dev/vulnerability/GHSA-4gh8-x3vv-phhg", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "github": [{"lastseen": "2023-05-27T15:15:55", "description": "### Impact\n\nThe `siftool new` command and [func siftool.New()](https://pkg.go.dev/github.com/sylabs/sif/pkg/siftool#New) produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.\n\n### Patches\n\nA patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.\n\nThe patch is commit https://github.com/sylabs/sif/commit/193962882122abf85ff5f5bcc86404933e71c07d\n\n### Workarounds\nUsers passing [CreateInfo struct](https://pkg.go.dev/github.com/sylabs/sif/pkg/sif#CreateInfo) should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:\n\n```\ngo get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557\n```\n\n### References\n* https://github.com/satori/go.uuid/issues/73\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new)\n* Email us at [security@sylabs.io](mailto:security@sylabs.io)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-18T18:30:38", "type": "github", "title": "Predictable SIF UUID Identifiers in github.com/sylabs/sif", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29499"], "modified": "2023-02-03T05:00:50", "id": "GHSA-4GH8-X3VV-PHHG", "href": "https://github.com/advisories/GHSA-4gh8-x3vv-phhg", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2023-05-27T15:13:22", "description": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T21:15:00", "type": "debiancve", "title": "CVE-2021-29499", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29499"], "modified": "2021-05-07T21:15:00", "id": "DEBIANCVE:CVE-2021-29499", "href": "https://security-tracker.debian.org/tracker/CVE-2021-29499", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-05-27T14:37:16", "description": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-05-07T21:15:00", "type": "cve", "title": "CVE-2021-29499", "cwe": ["CWE-330"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-29499"], "modified": "2021-05-19T18:53:00", "cpe": [], "id": "CVE-2021-29499", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29499", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": []}]}

CVE-2021-29499

Description

Affected Package

Related