Sylabs Singularity vulnerabilities

CVE-2025-64750 [MEDIUM] CWE-61 CVE-2025-64750: SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 a SingularityCE and SingularityPRO are open source container platforms. Prior to SingularityCE 4.3.5 and SingularityPRO 4.1.11 and 4.3.5, if a user relies on LSM restrictions to prevent malicious operations then, under certain circumstances, an attacker can redirect the LSM label write operation so that it is ineffective. The attacker must cause the us

CVE-2021-33027 [CRITICAL] CWE-331 CVE-2021-33027: Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce. Sylabs Singularity Enterprise through 1.6.2 has Insufficient Entropy in a nonce.

CVE-2021-33622 [CRITICAL] CWE-754 CVE-2021-33622: Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Fun Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Function's Return Value.

CVE-2021-32635 [MEDIUM] CWE-20 CVE-2021-32635: Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use o Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote e

CVE-2021-29136 [MEDIUM] CWE-20 CVE-2021-29136: Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used.

CVE-2020-15229 [CRITICAL] CWE-22 CVE-2020-15229: Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs au

CVE-2020-25040 [HIGH] CVE-2020-25040: Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039.

CVE-2020-25039 [HIGH] CWE-668 CVE-2020-25039: Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fak Sylabs Singularity 3.2.0 through 3.6.2 has Insecure Permissions on temporary directories used in fakeroot or user namespace container execution.

CVE-2020-13845 [HIGH] CWE-347 CVE-2020-13845: Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integr Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.

CVE-2020-13847 [HIGH] CWE-354 CVE-2020-13847: Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and veri Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.

CVE-2020-13846 [HIGH] CVE-2020-13846: Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code. Sylabs Singularity 3.5.0 through 3.5.3 fails to report an error in a Status Code.

CVE-2019-19724 [HIGH] CWE-276 CVE-2019-19724: Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (ve Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.

CVE-2019-11328 [HIGH] CWE-732 CVE-2019-11328: An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network acces An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing//`. The manipulation of those files can change the behavior of the starter-suid program wh

CVE-2018-19295 [HIGH] CWE-20 CVE-2018-19295: Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks. Sylabs Singularity 2.4 to 2.6 allows local users to conduct Improper Input Validation attacks.

CVE-2018-12021 [MEDIUM] CWE-200 CVE-2018-12021: Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting ove Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features.