CVE-2020-13845

Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.

Published: Jul 14, 2020
Updated: May 9, 2024
CVE: CVE-2020-13845
GHSA: GHSA-pmfr-63c2-jr5c
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-347
CWE-354

Affected Software
References

Software	From	Fixed in
sylabs / singularity	3.0.0	3.5.0.x
github.com/sylabs/singularity	3.0.0	3.6.0

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html
https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c
https://medium.com/sylabs

Vulnerability Database

289,599

CVE-2020-13845