Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/488378?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/488378?format=api", "purl": "pkg:apk/alpine/singularity@3.6.3-r0?arch=armhf&distroversion=v3.20&reponame=community", "type": "apk", "namespace": "alpine", "name": "singularity", "version": "3.6.3-r0", "qualifiers": { "arch": "armhf", "distroversion": "v3.20", "reponame": "community" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.6.4-r0", "latest_non_vulnerable_version": "4.1.1-r0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36383?format=api", "vulnerability_id": "VCID-a2rx-fr2c-vqej", "summary": "Insecure permissions on user namespace / fakeroot temporary rootfs in Singularity\n### Impact\n\nInsecure permissions on temporary directories used in fakeroot or user namespace container execution.\n\nWhen a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.\n\n### Patches\n\nThis issue is addressed in Singularity 3.6.3.\n\nAll users are advised to upgrade to 3.6.3.\n\n### Workarounds\n\nThe issue is mitigated if `TMPDIR` is set to a location that is only accessible to the user, as any subdirectories directly under `TMPDIR` cannot then be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this as a mitigation.\n\n### For more information\n\nGeneral questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:\n\n* [Singularity Slack Channel](https://bit.ly/2m0g3lX)\n* [Singularity Mailing List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)\n\nAny sensitive security concerns should be directed to: security@sylabs.io\n\nSee our Security Policy here: https://sylabs.io/security-policy", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-25039", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74391", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74322", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74332", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74324", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74357", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74366", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74364", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74362", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74239", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74244", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74271", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74276", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74291", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74312", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74293", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74285", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-25039" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7" }, { "reference_url": "https://medium.com/sylabs", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://medium.com/sylabs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25039", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25039" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465", "reference_id": "970465", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/488378?format=api", "purl": "pkg:apk/alpine/singularity@3.6.3-r0?arch=armhf&distroversion=v3.20&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/singularity@3.6.3-r0%3Farch=armhf&distroversion=v3.20&reponame=community" } ], "aliases": [ "CVE-2020-25039", "GHSA-w6v2-qchm-grj7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a2rx-fr2c-vqej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46648?format=api", "vulnerability_id": "VCID-cjnx-2wm2-yyhg", "summary": "Insecure permissions on build temporary rootfs in Singularity\n### Impact\n\nInsecure permissions on temporary directories used in explicit and implicit container build operations.\n\nWhen a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.\n\n### Patches\n\nThis issue is addressed in Singularity 3.6.3.\n\nAll users are advised to upgrade to 3.6.3.\n\n### Workarounds\n\nThe issue is mitigated if `TMPDIR` is set to a location that is only accessible to the user, as any subdirectories directly under `TMPDIR` cannot then be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this as a mitigation.\n\n### For more information\n\nGeneral questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:\n\n* [Singularity Slack Channel](https://bit.ly/2m0g3lX)\n* [Singularity Mailing List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)\n\nAny sensitive security concerns should be directed to: security@sylabs.io\n\nSee our Security Policy here: https://sylabs.io/security-policy", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-25040", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73129", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73058", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73067", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.7306", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73099", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.7311", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73107", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73101", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.72958", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.72971", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.72991", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.72967", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73004", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73018", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73043", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73022", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73015", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-25040" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762" }, { "reference_url": "https://medium.com/sylabs", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://medium.com/sylabs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25040", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25040" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465", "reference_id": "970465", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/488378?format=api", "purl": "pkg:apk/alpine/singularity@3.6.3-r0?arch=armhf&distroversion=v3.20&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/singularity@3.6.3-r0%3Farch=armhf&distroversion=v3.20&reponame=community" } ], "aliases": [ "CVE-2020-25040", "GHSA-jv9c-w74q-6762" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cjnx-2wm2-yyhg" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/singularity@3.6.3-r0%3Farch=armhf&distroversion=v3.20&reponame=community" }