Aggregates CVE and security vulnerability intelligence across all sylabs-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk input validation, vendor risk path handling, and vendor risk memory corruption, with potential vendor impact file overwrite across vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-30549 | Apptainer is an open source container platform for Linux. There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer < 1.1.0 and installations that include apptainer-suid < 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 package is installed), Ubuntu 18.04 bionic and Ubuntu 20.04 focal. Use-after-free flaws in the kernel can be used to attack the kernel for denial o | [email protected] | 7.1 | 0.03% | 2023-04-25 | 2024-11-21 |
| CVE-2022-23538 | github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. D | [email protected] | 5.2 | 0.38% | 2023-01-17 | 2024-11-21 |
| CVE-2022-39237 | syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographical | [email protected] | 6.3 | 0.25% | 2022-10-06 | 2024-11-21 |
| CVE-2021-33027 | Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. | [email protected] | 9.8 | 0.61% | 2021-07-19 | 2024-11-21 |
| CVE-2021-33622 | Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Function's Return Value. | [email protected] | 9.8 | 0.55% | 2021-06-15 | 2024-11-21 |
| CVE-2021-32635 | Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a vict | [email protected] | 6.3 | 0.63% | 2021-05-28 | 2024-11-21 |
| CVE-2021-29499 | SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` | [email protected] | 7.5 | 0.32% | 2021-05-07 | 2024-11-21 |
| CVE-2021-29136 | Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. | [email protected] | 5.5 | 0.15% | 2021-04-06 | 2024-11-21 |
| CVE-2020-15229 | Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local | [email protected] | 8.2 | 0.88% | 2020-10-14 | 2024-11-21 |
| CVE-2020-25040 | Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039. | [email protected] | 8.8 | 0.74% | 2020-09-16 | 2024-11-21 |
| CVE-2020-25039 | Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution. | [email protected] | 8.1 | 0.81% | 2020-09-16 | 2024-11-21 |
| CVE-2020-13847 | Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. | [email protected] | 7.5 | 0.17% | 2020-07-14 | 2024-11-21 |
| CVE-2020-13846 | Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code. | [email protected] | 7.5 | 0.37% | 2020-07-14 | 2024-11-21 |
| CVE-2020-13845 | Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. | [email protected] | 7.5 | 0.13% | 2020-07-14 | 2024-11-21 |
| CVE-2019-19724 | Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. | [email protected] | 7.5 | 0.25% | 2019-12-18 | 2024-11-21 |
| CVE-2019-11328 | An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host. | [email protected] | 8.8 | 0.61% | 2019-05-14 | 2024-11-21 |
| CVE-2018-19295 | Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks. | [email protected] | 7.8 | 0.12% | 2018-12-17 | 2024-11-21 |
| CVE-2018-12021 | Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features. | [email protected] | 6.5 | 0.43% | 2018-07-05 | 2024-11-21 |