CVE-2020-25040 — Resource Exposure in Sylabs Singularity

CWE-668 — Resource Exposure CWE-732 — Incorrect Permission Assignment9 documents6 sources

Severity

8.8HIGHNVD

CNA8.1OSV8.1

EPSS

0.7%

top 26.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Sylabs Singularity Sylabs Singularity Opensuse Leap

Timeline

PublishedSep 16

Latest updateMay 24

Description

Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Gogithub.com/sylabs_singularity< 3.6.3

▶NVDsylabs/singularity3.6.2

▶NVDopensuse/leap15.1, 15.2+1

🔴Vulnerability Details

OSV

Insecure permissions on build temporary rootfs in Singularity↗2021-05-24

▶

GHSA

Insecure permissions on build temporary rootfs in Singularity↗2021-05-24

▶

OSV

CVE-2020-25040: Sylabs Singularity through 3↗2020-09-16

▶

CVEList

CVE-2020-25040: Sylabs Singularity through 3↗2020-09-16

▶

📋Vendor Advisories

Debian

CVE-2020-25040: singularity-container - Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directori...↗2020

▶

💬Community

Bugzilla

CVE-2020-25040 singularity: sinularity: Insecure Permissions on temporary directories [fedora-all]↗2020-09-24

▶

Bugzilla

CVE-2020-25040 singularity: sinularity: Insecure Permissions on temporary directories [epel-all]↗2020-09-24

▶

Bugzilla

CVE-2020-25040 singularity: Insecure Permissions on temporary directories↗2020-09-24

▶