CVE-2019-11328

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within /run/singularity/instances/sing/<user>/<instance>. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

Published: May 14, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-11328
GHSA: GHSA-557g-r22w-9wvx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

Affected Software
References

Software	From	Fixed in
sylabs / singularity	3.1.0	3.2.0
sylabs / singularity	3.2.0	3.2.0.x
sylabs / singularity	3.2.0-rc1	3.2.0-rc1.x
sylabs / singularity	3.2.0-rc2	3.2.0-rc2.x
fedoraproject / fedora	28	28.x
fedoraproject / fedora	29	29.x
fedoraproject / fedora	30	30.x
opensuse / leap	15.1	15.1.x
opensuse / backports	sle-15-sp1	sle-15-sp1.x
opensuse / backports	sle-15	sle-15.x
github.com/sylabs/singularity/internal/pkg/runtime/engines/singularity	3.1.0	3.2.0

Vulnerability Database

289,697

CVE-2019-11328