CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-29136
https://notcve.org/view.php?id=CVE-2021-29136
Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used. Open Container Initiative umoci versiones anteriores a 0.4.7, permite a atacantes sobrescribir rutas de host arbitrarias por medio de una imagen diseñada que causa un salto de enlace simbólico cuando es usado "umoci unpack" o "umoci raw unpack" • http://www.openwall.com/lists/oss-security/2021/04/06/2 https://github.com/opencontainers/umoci/commit/d9efc31daf2206f7d3fdb839863cf7a576a2eb57 https://github.com/opencontainers/umoci/security/advisories/GHSA-9m95-8hx6-7p9v • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-15229 – Path traversal and files overwrite with unsquashfs
https://notcve.org/view.php?id=CVE-2020-15229
Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. • http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00070.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00071.html http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00009.html https://github.com/hpcng/singularity/blob/v3.6.4/CHANGELOG.md#security-related-fixes https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e https://github.com/hpcng/singularity/pull/5611 https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25040
https://notcve.org/view.php?id=CVE-2020-25040
Sylabs Singularity through 3.6.2 has Insecure Permissions on temporary directories used in explicit and implicit container build operations, a different vulnerability than CVE-2020-25039. Sylabs Singularity versiones hasta 3.6.2, presenta permisos no seguros en directorios temporales utilizados en operaciones de compilación de contenedores explícitas e implícitas, una vulnerabilidad diferente a CVE-2020-25039 • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762 https://medium.com/sylabs • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13845
https://notcve.org/view.php?id=CVE-2020-13845
Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. Sylabs Singularity versiones 3.0 hasta 3.5, presenta una Comprobación Inapropiada de un Valor de Comprobación de Integridad. La integridad de la imagen no es comprobada cuando una política ECL es aplicada. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c https://medium.com/sylabs • CWE-347: Improper Verification of Cryptographic Signature CWE-354: Improper Validation of Integrity Check Value •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-13847
https://notcve.org/view.php?id=CVE-2020-13847
Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file. Sylabs Singularity versiones 3.0 hasta 3.5, carece de soporte para una Comprobación de Integridad. Los comandos de firma y verificación de Singularity no firman metadatos encontrados en el encabezado global o en los descriptores de objetos de datos de un archivo SIF • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html https://github.com/hpcng/singularity/security/advisories/GHSA-m7j2-9565-4h9v https://medium.com/sylabs • CWE-354: Improper Validation of Integrity Check Value •