CVE-2019-19724

EUVD-2022-4576
Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
Affected Products (NVD)
VendorProductVersion
sylabssingularity
3.3.0 ≤
𝑥
≤ 3.5.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
singularity-container
sid
4.1.5+ds3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
singularity-container
bionic
not-affected
disco
not-affected
eoan
not-affected
trusty
dne
xenial
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
https://github.com/sylabs/singularity/releases/tag/v3.5.2
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
https://github.com/sylabs/singularity/releases/tag/v3.5.2