CVE-2019-11328 — Incorrect Permission Assignment in Sylabs Singularity
CWE-732 — Incorrect Permission AssignmentCWE-269 — Improper Privilege Management8 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.6%
top 30.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedMay 14
Latest updateDec 20
Description
An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing//`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages4 packages
Also affects: Fedora 28, 29, 30
🔴Vulnerability Details
3📋Vendor Advisories
1Debian▶
CVE-2019-11328: singularity-container - An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with...↗2019
💬Community
3Bugzilla▶
CVE-2019-11328 singularity: manipulation of file within run/singularity/instances/sing/<user>/<instance> leads to privilege escalation↗2019-05-15
Bugzilla▶
CVE-2019-11328 singularity: manipulation of file within run/singularity/instances/sing/<user>/<instance> leads to privilege escalation [fedora-all]↗2019-05-15
Bugzilla▶
CVE-2019-11328 singularity: manipulation of file within run/singularity/instances/sing/<user>/<instance> leads to privilege escalation [epel-all]↗2019-05-15