Description
Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_misc
https://medium.com/sylabs
Third Party Advisory x_refsource_misc
https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
Broken Link vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html
Scores
CVSS v3
7.5
EPSS
0.0052
EPSS Percentile
39.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-354
CWE-347
Status
published
Products (2)
sylabs/singularity
3.0.0 - 3.5.0
sylabs/singularity
3.0.0 - 3.6.0Go
Published
Jul 14, 2020
Tracked Since
Feb 18, 2026