Vulnerability Database
296,733
Total vulnerabilities in the database
CVE-2021-32635
Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (run/shell/exec) against library:// URIs are affected. Other commands such as pull / push respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.
| Software | From | Fixed in |
|---|---|---|
| sylabs / singularity | 3.7.2 | 3.7.2.x |
| sylabs / singularity | 3.7.3 | 3.7.3.x |
github.com/sylabs/singularity
|
3.7.2 | 3.7.4 |
- https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3
- https://github.com/sylabs/singularity/commit/d52ae9d13979733c5e987a566fae59ed6f1bf796
- https://github.com/sylabs/singularity/releases/tag/v3.7.4
- https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394
- https://security.gentoo.org/glsa/202107-50
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime