CVE-2022-39237 – github.com/sylabs/sif/v2

Package

Manager: go
Name: github.com/sylabs/sif/v2
Vulnerable Version: >=0 <2.8.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 0.00056 pctl0.17383

Details

SIF's Digital Signature Hash Algorithms Not Validated ### Impact The `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. ### Patches A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa ### Workarounds Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure. ### References * [CVE-2004-2761](https://nvd.nist.gov/vuln/detail/cve-2004-2761) * [CVE-2005-4900](https://nvd.nist.gov/vuln/detail/cve-2005-4900) ### For more information If you have any questions or comments about this advisory: * Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new) * Email us at [security@sylabs.io](mailto:security@sylabs.io)

Metadata

Created: 2022-10-06T19:54:55Z
Modified: 2023-01-10T16:09:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-m5m3-46gj-wch8/GHSA-m5m3-46gj-wch8.json
CWE IDs: ["CWE-327", "CWE-347"]
Alternative ID: GHSA-m5m3-46gj-wch8
Finding: F163
Auto approve: 1