CVE-2020-13845Improper Verification of Cryptographic Signature in Sylabs Singularity

CWE-347Improper Verification of Cryptographic SignatureCWE-354Improper Validation of Integrity Check Value6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 76.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Sylabs SingularitySylabs Singularity
Timeline
PublishedJul 14
Latest updateDec 20

Description

Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

Gogithub.com/sylabs_singularity3.0.03.6.0
NVDsylabs/singularity3.0.03.5.0

🔴Vulnerability Details

4
OSV
Execution Control List (ECL) Is Insecure in Singularity2021-12-20
GHSA
Execution Control List (ECL) Is Insecure in Singularity2021-12-20
CVEList
CVE-2020-13845: Sylabs Singularity 32020-07-14
OSV
CVE-2020-13845: Sylabs Singularity 32020-07-14

📋Vendor Advisories

1
Debian
CVE-2020-13845: singularity-container - Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check...2020
CVE-2020-13845 — Sylabs Singularity vulnerability | cvebase