logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-jq42-hfch-42f3 github.com/hpcng/singularity

Package

Manager: go
Name: github.com/hpcng/singularity
Vulnerable Version: >=3.7.2 <3.7.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint # Impact Due to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. # Patches All users should upgrade to Singularity 3.7.4 or later. # Workarounds Users who only interact with the default remote endpoint or do not use the library:// url are not affected. Installations with an execution control list configured to restrict execution to containers signed with specific secure keys are not affected. # Acknowledgements This issue was found by Mike Frisch and brought to our attention by Sylabs. Sylabs is making a [coordinated disclosure](https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394). # For more information General questions about the impact of the advisory can be asked in the: [Singularity Slack Channel](https://join.slack.com/t/hpcng/shared_invite/zt-qda4h1ls-OP0Uouq6sSmVE6i_0NrWdw) [Singularity Mailing List](https://groups.google.com/a/lbl.gov/g/singularity) Any sensitive security concerns should be directed to: [singularity-security@hpcng.org](mailto:singularity-security@hpcng.org)

Metadata

Created: 2021-06-01T21:20:53Z
Modified: 2021-10-05T17:22:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-jq42-hfch-42f3/GHSA-jq42-hfch-42f3.json
CWE IDs: ["CWE-20"]
Alternative ID: N/A
Finding: F184
Auto approve: 1