CVE-2020-13845

high

Description

Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.

References

https://medium.com/sylabs

https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html

Details

Source: Mitre, NVD

Published: 2020-07-14

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: High