CVE-2020-15229

CWE-22Path Traversal8 documents6 sources
Severity
9.3CRITICAL
EPSS
0.9%
top 24.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Hpcng SingularityGithub.com Sylabs/singularitySylabs Singularity+2 more
Timeline
PublishedOct 14
Latest updateMay 24

Description

Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:NExploitability: 2.8 | Impact: 4.7

Affected Packages5 packages

CVEListV5hpcng/singularity< 3.6.4
Gogithub.com/sylabs/singularity3.1.13.6.4
NVDsylabs/singularity3.1.13.6.3
NVDopensuse/leap15.1, 15.2+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Path traversal and files overwrite with unsquashfs in singularity2021-05-24
OSV
Path traversal and files overwrite with unsquashfs in singularity2021-05-24
CVEList
Path traversal and files overwrite with unsquashfs2020-10-14

📋Vendor Advisories

1
Debian
CVE-2020-15229: singularity-container - Singularity (an open source container platform) from version 3.1.1 through 3.6.3...2020

💬Community

3
Bugzilla
CVE-2020-15229 singularity: path traversal and files overwrite with unsquashfs [epel-all]2020-10-15
Bugzilla
CVE-2020-15229 singularity: path traversal and files overwrite with unsquashfs2020-10-15
Bugzilla
CVE-2020-15229 singularity: path traversal and files overwrite with unsquashfs [fedora-all]2020-10-15