Debian Singularity-Container vulnerabilities

CVE-2025-64750 [MEDIUM] CVE-2025-64750: singularity-container - SingularityCE and SingularityPRO are open source container platforms. Prior to S... SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the us

CVE-2023-30549 [HIGH] CVE-2023-30549: singularity-container - Apptainer is an open source container platform for Linux. There is an ext4 use-a... Apptainer is an open source container platform for Linux. There is an ext4 use-after-free flaw that is exploitable through versions of Apptainer < 1.1.0 and installations that include apptainer-suid < 1.1.8 on older operating systems where that CVE has not been patched. That includes Red Hat Enterprise Linux 7, Debian 10 buster (unless the linux-5.10 p

CVE-2022-39237 [MEDIUM] CVE-2022-39237: golang-github-sylabs-sif - syslabs/sif is the Singularity Image Format (SIF) reference implementation. In v... syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to up

CVE-2022-23538 [MEDIUM] CVE-2022-23538: singularity-container - github.com/sylabs/scs-library-client is the Go client for the Singularity Contai... github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occu

CVE-2021-33622 [CRITICAL] CVE-2021-33622: singularity-container - Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Inco... Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Function's Return Value. Scope: local sid: resolved (fixed in 3.9.5+ds1-2)

CVE-2021-33027 [CRITICAL] CVE-2021-33027: singularity-container - Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. Scope: local sid: resolved

CVE-2021-32635 [MEDIUM] CVE-2021-32635: singularity-container - Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dd... Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote e

CVE-2020-15229 [HIGH] CVE-2020-15229: singularity-container - Singularity (an open source container platform) from version 3.1.1 through 3.6.3... Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automa

CVE-2020-13845 [HIGH] CVE-2020-13845: singularity-container - Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check... Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. Scope: local sid: resolved (fixed in

CVE-2020-13846 [HIGH] CVE-2020-13846: singularity-container - Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code... Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code. Scope: local sid: resolved (fixed in 3.9.5+ds1-2)

CVE-2020-13847 [HIGH] CVE-2020-13847: singularity-container - Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singula... Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. Scope: local sid: resolved (fixed in 3.9.5+ds1-2)

CVE-2020-25039 [HIGH] CVE-2020-25039: singularity-container - Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary dir... Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution. Scope: local sid: resolved (fixed in 3.9.5+ds1-2)

CVE-2020-25040 [HIGH] CVE-2020-25040: singularity-container - Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directori... Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039. Scope: local sid: resolved (fixed in 3.9.5+ds1-2)

CVE-2019-19724 [HIGH] CVE-2019-19724: singularity-container - Insecure permissions (777) are set on $HOME/.singularity when it is newly create... Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services. Scope: local sid: resolved (fixed in 3.5.2+ds1-1)

CVE-2019-9946 [HIGH] CVE-2019-9946: golang-github-containernetworking-plugins - Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.... Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptables nat chains; which take precedence over the KUBE- SERVICES chain. Because of this, th

CVE-2019-11328 [HIGH] CVE-2019-11328: singularity-container - An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with... An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing//`. The manipulation of those files can change the behavior of the starter-suid program whe

CVE-2019-10214 [MEDIUM] CVE-2019-10214: golang-github-containers-image - The containers/image library used by the container tools Podman, Buildah, and Sk... The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or

CVE-2018-19295 [HIGH] CVE-2018-19295: singularity-container - Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Valid... Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks. Scope: local sid: resolved (fixed in 2.6.1-1)

CVE-2018-12021 [MEDIUM] CVE-2018-12021: singularity-container - Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on sy... Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features. Scope: local sid: resolved (fixed in 2.5.2-1)