Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Singularity
(Sylabs)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 15 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-10-14 | CVE-2020-15229 | Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a... | Backports_sle, Leap, Singularity | 9.3 | ||
| 2021-05-28 | CVE-2021-32635 | Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a... | Singularity | 6.3 | ||
| 2021-07-19 | CVE-2021-33027 | Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. | Singularity | 9.8 | ||
| 2020-09-16 | CVE-2020-25039 | Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution. | Leap, Singularity | 8.1 | ||
| 2020-09-16 | CVE-2020-25040 | Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039. | Leap, Singularity | 8.8 | ||
| 2021-06-15 | CVE-2021-33622 | Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Function's Return Value. | Singularity, Singularitypro | 9.8 | ||
| 2021-04-06 | CVE-2021-29136 | Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. | Umoci, Singularity | 5.5 | ||
| 2019-12-18 | CVE-2019-19724 | Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. | Singularity | N/A | ||
| 2018-07-05 | CVE-2018-12021 | Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features. | Singularity | 6.5 | ||
| 2018-12-17 | CVE-2018-19295 | Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks. | Singularity | 7.8 |