Github.Com Sylabs Singularity vulnerabilities

CVE-2019-19724 [HIGH] CWE-276 Singularity insecure permissions Singularity insecure permissions Insecure permissions (777) are set on `$HOME/.singularity` when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.

CVE-2018-19295 [HIGH] CWE-20 Sylabs Singularity Improper Input Validation Sylabs Singularity Improper Input Validation Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks.

CVE-2019-11328 [HIGH] CWE-269 Incorrect Permission Assignment for Critical Resource in Singularity Incorrect Permission Assignment for Critical Resource in Singularity An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing//`. The manipulation of those files can change the behavior of the s

CVE-2020-25039 [HIGH] CWE-668 Insecure permissions on user namespace / fakeroot temporary rootfs in Singularity Insecure permissions on user namespace / fakeroot temporary rootfs in Singularity ### Impact Insecure permissions on temporary directories used in fakeroot or user namespace container execution. When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to in

CVE-2020-13846 [HIGH] "Verify All" Returns Success Despite Validation Failures in Singularity "Verify All" Returns Success Despite Validation Failures in Singularity ### Impact The `--all / -a` option to `singularity verify` returns success even when some objects in a SIF container are not signed, or cannot be verified. The SIF objects that are not verified are reported in `WARNING` log messages, but a `Container Verified` message and exit code of `0` are returned. Workflows that verify a co

CVE-2020-13845 [HIGH] CWE-347 Execution Control List (ECL) Is Insecure in Singularity Execution Control List (ECL) Is Insecure in Singularity ### Impact The Singularity Execution Control List (ECL) allows system administrators to set up a policy that defines rules about what signature(s) must be (or must not be) present on a SIF container image for it to be permitted to run. In Singularity 3.x versions below 3.6.0, the following issues allow the ECL to be bypassed by a malicious user: * Imag

CVE-2021-32635 [MEDIUM] CWE-20 Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint ### Impact Due to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoin

CVE-2020-15229 [HIGH] CWE-22 Path traversal and files overwrite with unsquashfs in singularity Path traversal and files overwrite with unsquashfs in singularity ### Impact Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs` (a distribution provided utility used by Singularity), it is possible to overwrite/create any files on the host filesystem during the extraction of a crafted squashfs filesystem. Squashfs extraction occurs automatically for unpr

CVE-2020-25040 [HIGH] CWE-668 Insecure permissions on build temporary rootfs in Singularity Insecure permissions on build temporary rootfs in Singularity ### Impact Insecure permissions on temporary directories used in explicit and implicit container build operations. When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a wo