Lookup for vulnerable packages by Package URL.
| Purl | pkg:deb/debian/golang-github-sylabs-sif@2.3.1-2?distro=trixie |
|---|
| Type | deb |
|---|
| Namespace | debian |
|---|
| Name | golang-github-sylabs-sif |
|---|
| Version | 2.3.1-2 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | 2.8.3-1 |
|---|
| Latest_non_vulnerable_version | 2.24.0-1 |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-wr6q-4294-yugh |
| vulnerability_id |
VCID-wr6q-4294-yugh |
| summary |
Predictable SIF UUID Identifiers in github.com/sylabs/sif
### Impact
The `siftool new` command and [func siftool.New()](https://pkg.go.dev/github.com/sylabs/sif/pkg/siftool#New) produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency.
### Patches
A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade.
The patch is commit https://github.com/sylabs/sif/commit/193962882122abf85ff5f5bcc86404933e71c07d
### Workarounds
Users passing [CreateInfo struct](https://pkg.go.dev/github.com/sylabs/sif/pkg/sif#CreateInfo) should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
```
go get github.com/satori/go.uuid@75cca531ea763666bc46e531da3b4c3b95f64557
```
### References
* https://github.com/satori/go.uuid/issues/73
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [github.com/sylabs/sif](https://github.com/sylabs/sif/issues/new)
* Email us at [security@sylabs.io](mailto:security@sylabs.io) |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-29499 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54784 |
| published_at |
2026-04-21T12:55:00Z |
|
| 1 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54748 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54771 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.5474 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54791 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54788 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54799 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54783 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54761 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.548 |
| published_at |
2026-04-16T12:55:00Z |
|
| 10 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54802 |
| published_at |
2026-04-18T12:55:00Z |
|
| 11 |
| value |
0.00317 |
| scoring_system |
epss |
| scoring_elements |
0.54678 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-29499 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
|
| fixed_packages |
|
| aliases |
CVE-2021-29499, GHSA-4gh8-x3vv-phhg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wr6q-4294-yugh |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-sylabs-sif@2.3.1-2%3Fdistro=trixie |
|---|