CVE-2019-11328

HIGH

Singularity 3.1.0-3.2.0-rc2 - Privilege Escalation

Title source: llm
STIX 2.1

Description

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

References (8)

Core 8
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/05/16/1
Broken Link vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108360
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00028.html
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html

Scores

CVSS v3 8.8
EPSS 0.0061
EPSS Percentile 69.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-732
Status published
Products (8)
fedoraproject/fedora 28
fedoraproject/fedora 29
fedoraproject/fedora 30
opensuse/backports sle-15 (2 CPE variants)
opensuse/leap 15.1
sylabs/singularity 3.2.0 (3 CPE variants)
sylabs/singularity 3.1.0 - 3.2.0
sylabs/singularity 3.1.0 - 3.2.0Go
Published May 14, 2019
Tracked Since Feb 18, 2026