CVE-2019-11328
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.
Se encontró un problema en Singularity versión 3.1.0 hasta la 3.2.0-rc2, un usuario malicioso con acceso local de red hacia el sistema host (por ejemplo, ssh) podría atacar esta vulnerabilidad debido a permisos no seguros que permiten a un usuario editar archivos dentro de `/run/singularity/instances/sing//`. La manipulación de esos archivos puede cambiar el comportamiento del programa starter-suid cuando las peticiones se unen, lo que conlleva a una posible escalada de privilegios en el host.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-04-18 CVE Reserved
- 2019-05-14 CVE Published
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- 2024-10-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/108360 | Broken Link | |
| https://github.com/sylabs/singularity/releases/tag/v3.2.0 | Release Notes |
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2019/05/16/1 | 2024-08-04 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Sylabs Search vendor "Sylabs" | Singularity Search vendor "Sylabs" for product "Singularity" | >= 3.1.0 < 3.2.0 Search vendor "Sylabs" for product "Singularity" and version " >= 3.1.0 < 3.2.0" | - |
Affected
| ||||||
| Sylabs Search vendor "Sylabs" | Singularity Search vendor "Sylabs" for product "Singularity" | 3.2.0 Search vendor "Sylabs" for product "Singularity" and version "3.2.0" | - |
Affected
| ||||||
| Sylabs Search vendor "Sylabs" | Singularity Search vendor "Sylabs" for product "Singularity" | 3.2.0 Search vendor "Sylabs" for product "Singularity" and version "3.2.0" | rc1 |
Affected
| ||||||
| Sylabs Search vendor "Sylabs" | Singularity Search vendor "Sylabs" for product "Singularity" | 3.2.0 Search vendor "Sylabs" for product "Singularity" and version "3.2.0" | rc2 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 28 Search vendor "Fedoraproject" for product "Fedora" and version "28" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 29 Search vendor "Fedoraproject" for product "Fedora" and version "29" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Backports Search vendor "Opensuse" for product "Backports" | sle-15 Search vendor "Opensuse" for product "Backports" and version "sle-15" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Backports Search vendor "Opensuse" for product "Backports" | sle-15 Search vendor "Opensuse" for product "Backports" and version "sle-15" | sp1 |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||