CVE-2019-19724 — Incorrect Default Permissions in Sylabs Singularity

CWE-276 — Incorrect Default Permissions5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 45.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Sylabs Singularity Sylabs Singularity

Timeline

PublishedDec 18

Latest updateMay 24

Description

Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Gogithub.com/sylabs_singularity3.3.0 — 3.5.2

▶NVDsylabs/singularity3.3.0 — 3.5.1

🔴Vulnerability Details

GHSA

Singularity insecure permissions↗2022-05-24

▶

OSV

Singularity insecure permissions↗2022-05-24

▶

CVEList

CVE-2019-19724: Insecure permissions (777) are set on $HOME/↗2019-12-18

▶

📋Vendor Advisories

Debian

CVE-2019-19724: singularity-container - Insecure permissions (777) are set on $HOME/.singularity when it is newly create...↗2019

▶