CVE-2019-19724

Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
sylabssingularity
3.3.0 ≤
𝑥
≤ 3.5.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
singularity-container
sid
4.1.5+ds3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
singularity-container
eoan
not-affected
disco
not-affected
bionic
not-affected
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
https://github.com/sylabs/singularity/releases/tag/v3.5.2
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
https://github.com/sylabs/singularity/releases/tag/v3.5.2