CVE-2022-39237
published 2022-10-06CVE-2022-39237: syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did…
PriorityP345critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.48%
37.6th percentile
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-sylabs-sif | < golang-github-sylabs-sif 2.8.3-1 (bookworm) | golang-github-sylabs-sif 2.8.3-1 (bookworm) |
| debian | singularity-container | < golang-github-sylabs-sif 2.8.3-1 (bookworm) | golang-github-sylabs-sif 2.8.3-1 (bookworm) |
| github.com | sylabs_sif_v2 | >= 0 < 2.8.1 | 2.8.1 |
| sylabs | sif | < 2.8.1 | 2.8.1 |
| sylabs | singularity_image_format | < 2.8.1 | 2.8.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa5.0MEDIUM
osv9.8CRITICAL
vendor_debian6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper validation of signature hash algorithms in github.com/sylabs/sif/v2
osv·2022-10-21
CVE-2022-39237 Improper validation of signature hash algorithms in github.com/sylabs/sif/v2
Improper validation of signature hash algorithms in github.com/sylabs/sif/v2
The Singularity Image Format (SIF) reference implementation does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.
OSV
CVE-2022-39237: syslabs/sif is the Singularity Image Format (SIF) reference implementation
osv·2022-10-06·CVSS 9.8
CVE-2022-39237 [CRITICAL] CVE-2022-39237: syslabs/sif is the Singularity Image Format (SIF) reference implementation
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
GHSA
SIF's Digital Signature Hash Algorithms Not Validated
ghsa·2022-10-06·CVSS 5.0
CVE-2022-39237 [MEDIUM] CWE-327 SIF's Digital Signature Hash Algorithms Not Validated
SIF's Digital Signature Hash Algorithms Not Validated
### Impact
The `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.
### Patches
A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.
The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa
### Workarounds
Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
### References
* [CVE-2004-2761](https://nvd.nist.gov/vuln/detail/cve-2004-2761)
* [CVE-2005-4900](https://nvd.nist.gov/vuln/detail/cve-2005-4900)
### For more information
If you have any questions or comme
OSV
SIF's Digital Signature Hash Algorithms Not Validated
osv·2022-10-06·CVSS 5.0
CVE-2022-39237 [MEDIUM] SIF's Digital Signature Hash Algorithms Not Validated
SIF's Digital Signature Hash Algorithms Not Validated
### Impact
The `github.com/sylabs/sif/v2/pkg/integrity` package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.
### Patches
A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.
The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa
### Workarounds
Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
### References
* [CVE-2004-2761](https://nvd.nist.gov/vuln/detail/cve-2004-2761)
* [CVE-2005-4900](https://nvd.nist.gov/vuln/detail/cve-2005-4900)
### For more information
If you have any questions or comme
Debian
CVE-2022-39237: golang-github-sylabs-sif - syslabs/sif is the Singularity Image Format (SIF) reference implementation. In v...
vendor_debian·2022·CVSS 6.3
CVE-2022-39237 [MEDIUM] CVE-2022-39237: golang-github-sylabs-sif - syslabs/sif is the Singularity Image Format (SIF) reference implementation. In v...
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
Scope: local
bookworm: resolved (fixed in 2.8.3-1)
bullseye: open
forky: resolved (fixed in 2.8.3-1)
sid: resolved (fixed in 2.8.3-1)
trixie: resolved (fixed in 2.8.3-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaahttps://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8https://security.gentoo.org/glsa/202210-19https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaahttps://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8https://security.gentoo.org/glsa/202210-19
2022-10-06
Published