Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/939441?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/939441?format=api", "purl": "pkg:deb/debian/singularity-container@3.9.5%2Bds1-2?distro=sid", "type": "deb", "namespace": "debian", "name": "singularity-container", "version": "3.9.5+ds1-2", "qualifiers": { "distro": "sid" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.10.3+ds1-1", "latest_non_vulnerable_version": "4.1.5+ds4-1", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36812?format=api", "vulnerability_id": "VCID-5ftw-539a-kbdz", "summary": "\"Verify All\" Returns Success Despite Validation Failures in Singularity\n### Impact\n\nThe `--all / -a` option to `singularity verify` returns success even when some objects in a SIF container are not signed, or cannot be verified.\n\nThe SIF objects that are not verified are reported in `WARNING` log messages, but a `Container Verified` message and exit code of `0` are returned.\n\nWorkflows that verify a container using `--all / -a` and use the exit code as an indicator of success are vulnerable to running SIF containers that have unsigned, or modified, objects that may be exploited to introduce malicious behavior.\n\n```\n$ singularity verify -a image.sif \nWARNING: Missing signature for SIF descriptor 2 (JSON.Generic)\nWARNING: Missing signature for SIF descriptor 3 (FS)\nContainer is signed by 1 key(s):\n\nVerifying partition: Def.FILE:\n12045C8C0B1004D058DE4BEDA20C27EE7FF7BA84\n[LOCAL] Unit Test <unit@test.com>\n[OK] Data integrity verified\n\nINFO: Container verified: image.sif\n\n$ echo $?\n0\n```\n\n\n### Patches\n\nSingularity 3.6.0 has a new implementation of sign/verify that fixes this issue.\n\nAll users are advised to upgrade to 3.6.0. Note that Singularity 3.6.0 uses a new signature format that is necessarily incompatible with Singularity < 3.6.0 - e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.\n\nVersion 3.6.0 includes a `--legacy-insecure` flag for the `singularity verify` command, that will perform verification of the older, and insecure, legacy signatures for compatibility with existing containers. This does not guarantee that containers have not been modified since signing, due to other issues in the legacy signature format.\n\n### Workarounds\n\nIf you are unable to update to 3.6.0 ensure that you do not rely on the return code of `singularity verify --all / -a` as an indicator of trust in a container.\n\nNote that other issues in the sign/verify implementation in Singularity < 3.6.0 allow additional means to introduce malicious behavior to a signed container.\n\n\n### For more information\n\nGeneral questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:\n\n* [Singularity Slack Channel](https://bit.ly/2m0g3lX)\n* [Singularity Mailing List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)\n\nAny sensitive security concerns should be directed to: security@sylabs.io\n\nSee our Security Policy here: https://sylabs.io/security-policy", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-13846", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58869", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58778", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58746", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58761", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58713", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58757", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58815", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58771", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58798", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58651", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58735", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58756", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58723", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58776", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58783", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58801", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58763", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.58795", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00368", "scoring_system": "epss", "scoring_elements": "0.588", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-13846" }, { "reference_url": "https://github.com/hpcng/singularity/security/advisories/GHSA-6w7g-p4jh-rf92", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/security/advisories/GHSA-6w7g-p4jh-rf92" }, { "reference_url": "https://github.com/sylabs/singularity", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sylabs/singularity" }, { "reference_url": "https://medium.com/sylabs", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://medium.com/sylabs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13846", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13846" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040", "reference_id": "965040", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939441?format=api", "purl": "pkg:deb/debian/singularity-container@3.9.5%2Bds1-2?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@3.9.5%252Bds1-2%3Fdistro=sid" }, { "url": "http://public2.vulnerablecode.io/api/packages/939435?format=api", "purl": "pkg:deb/debian/singularity-container@4.1.5%2Bds4-1?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@4.1.5%252Bds4-1%3Fdistro=sid" } ], "aliases": [ "CVE-2020-13846", "GHSA-6w7g-p4jh-rf92" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5ftw-539a-kbdz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/36383?format=api", "vulnerability_id": "VCID-a2rx-fr2c-vqej", "summary": "Insecure permissions on user namespace / fakeroot temporary rootfs in Singularity\n### Impact\n\nInsecure permissions on temporary directories used in fakeroot or user namespace container execution.\n\nWhen a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.\n\n### Patches\n\nThis issue is addressed in Singularity 3.6.3.\n\nAll users are advised to upgrade to 3.6.3.\n\n### Workarounds\n\nThe issue is mitigated if `TMPDIR` is set to a location that is only accessible to the user, as any subdirectories directly under `TMPDIR` cannot then be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this as a mitigation.\n\n### For more information\n\nGeneral questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:\n\n* [Singularity Slack Channel](https://bit.ly/2m0g3lX)\n* [Singularity Mailing List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)\n\nAny sensitive security concerns should be directed to: security@sylabs.io\n\nSee our Security Policy here: https://sylabs.io/security-policy", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-25039", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.7446", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74366", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74364", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74362", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74391", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74416", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74382", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74404", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74239", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74244", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74271", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74276", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74291", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74312", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74293", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74285", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74322", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74332", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74324", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00815", "scoring_system": "epss", "scoring_elements": "0.74357", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-25039" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/security/advisories/GHSA-w6v2-qchm-grj7" }, { "reference_url": "https://medium.com/sylabs", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://medium.com/sylabs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25039", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25039" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465", "reference_id": "970465", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939441?format=api", "purl": "pkg:deb/debian/singularity-container@3.9.5%2Bds1-2?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@3.9.5%252Bds1-2%3Fdistro=sid" }, { "url": "http://public2.vulnerablecode.io/api/packages/939435?format=api", "purl": "pkg:deb/debian/singularity-container@4.1.5%2Bds4-1?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@4.1.5%252Bds4-1%3Fdistro=sid" } ], "aliases": [ "CVE-2020-25039", "GHSA-w6v2-qchm-grj7" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-a2rx-fr2c-vqej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46648?format=api", "vulnerability_id": "VCID-cjnx-2wm2-yyhg", "summary": "Insecure permissions on build temporary rootfs in Singularity\n### Impact\n\nInsecure permissions on temporary directories used in explicit and implicit container build operations.\n\nWhen a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.\n\n### Patches\n\nThis issue is addressed in Singularity 3.6.3.\n\nAll users are advised to upgrade to 3.6.3.\n\n### Workarounds\n\nThe issue is mitigated if `TMPDIR` is set to a location that is only accessible to the user, as any subdirectories directly under `TMPDIR` cannot then be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this as a mitigation.\n\n### For more information\n\nGeneral questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:\n\n* [Singularity Slack Channel](https://bit.ly/2m0g3lX)\n* [Singularity Mailing List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)\n\nAny sensitive security concerns should be directed to: security@sylabs.io\n\nSee our Security Policy here: https://sylabs.io/security-policy", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00070.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00088.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-25040", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73189", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.7311", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73107", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73101", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73129", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.7315", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73111", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73134", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.72958", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.72971", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.72991", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.72967", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73004", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73018", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73043", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73022", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73015", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73058", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73067", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.7306", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00744", "scoring_system": "epss", "scoring_elements": "0.73099", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-25040" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/security/advisories/GHSA-jv9c-w74q-6762" }, { "reference_url": "https://medium.com/sylabs", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://medium.com/sylabs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25040", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25040" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465", "reference_id": "970465", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970465" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939441?format=api", "purl": "pkg:deb/debian/singularity-container@3.9.5%2Bds1-2?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@3.9.5%252Bds1-2%3Fdistro=sid" }, { "url": "http://public2.vulnerablecode.io/api/packages/939435?format=api", "purl": "pkg:deb/debian/singularity-container@4.1.5%2Bds4-1?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@4.1.5%252Bds4-1%3Fdistro=sid" } ], "aliases": [ "CVE-2020-25040", "GHSA-jv9c-w74q-6762" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cjnx-2wm2-yyhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/216658?format=api", "vulnerability_id": "VCID-qr9c-hzvb-uuch", "summary": "Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Check. Singularity's sign and verify commands do not sign metadata found in the global header or data object descriptors of a SIF file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-13847", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.4068", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40764", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40791", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40715", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40765", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40773", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40792", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40757", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40738", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40783", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40753", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40676", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.4058", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40568", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40485", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.4034", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40407", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40425", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40328", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40353", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00189", "scoring_system": "epss", "scoring_elements": "0.40428", "published_at": "2026-05-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-13847" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040", "reference_id": "965040", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939441?format=api", "purl": "pkg:deb/debian/singularity-container@3.9.5%2Bds1-2?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@3.9.5%252Bds1-2%3Fdistro=sid" }, { "url": "http://public2.vulnerablecode.io/api/packages/939435?format=api", "purl": "pkg:deb/debian/singularity-container@4.1.5%2Bds4-1?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@4.1.5%252Bds4-1%3Fdistro=sid" } ], "aliases": [ "CVE-2020-13847" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qr9c-hzvb-uuch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48516?format=api", "vulnerability_id": "VCID-qz7w-3qvp-ykan", "summary": "Path traversal and files overwrite with unsquashfs in singularity\n### Impact\n\nDue to insecure handling of path traversal and the lack of path sanitization within `unsquashfs` (a distribution provided utility used by Singularity), it is possible to overwrite/create any files on the host filesystem during the extraction of a crafted squashfs filesystem.\n\nSquashfs extraction occurs automatically for unprivileged execution of Singularity (either `--without-suid` installation or with `allow setuid = no`) when a user attempts to run an image which:\n\n- is a local SIF image or a single file containing a squashfs filesystem\n- is pulled from remote sources `library://` or `shub://`\n\nImage build is also impacted in a more serious way as it is often performed by the root user, allowing an attacker to overwrite/create files leading to a system compromise. Bootstrap methods `library`, `shub` and `localimage` trigger a squashfs extraction.\n\n### Patches\n\nThis issue is addressed in Singularity 3.6.4.\n\nAll users are advised to upgrade to 3.6.4 especially if they use Singularity mainly for building image as root user.\n\n### Workarounds\n\nThere is no solid workaround except to temporarily avoid use of unprivileged mode with single file images, in favor of sandbox images instead. Regarding image build, temporarily avoid building from `library` and `shub` sources, and as much as possible use `--fakeroot` or a VM to limit potential impact.\n\n### For more information\n\nGeneral questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:\n\n* [Singularity Slack Channel](https://bit.ly/2m0g3lX)\n* [Singularity Mailing List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)\n\nAny sensitive security concerns should be directed to: security@sylabs.io\n\nSee our Security Policy here: https://sylabs.io/security-policy", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00070.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00070.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00071.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00071.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00009.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00009.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15229", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75484", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75343", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75333", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75368", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75373", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75377", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75385", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75414", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.7544", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75419", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75429", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75243", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75246", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75278", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75255", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75298", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75309", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.7533", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75308", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75297", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00876", "scoring_system": "epss", "scoring_elements": "0.75336", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-15229" }, { "reference_url": "https://github.com/hpcng/singularity/blob/v3.6.4/CHANGELOG.md#security-related-fixes", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/blob/v3.6.4/CHANGELOG.md#security-related-fixes" }, { "reference_url": "https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/commit/eba3dea260b117198fdb6faf41f2482ab2f8d53e" }, { "reference_url": "https://github.com/hpcng/singularity/pull/5611", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/pull/5611" }, { "reference_url": "https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/security/advisories/GHSA-7gcp-w6ww-2xv9" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15229", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15229" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972212", "reference_id": "972212", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972212" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939441?format=api", "purl": "pkg:deb/debian/singularity-container@3.9.5%2Bds1-2?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@3.9.5%252Bds1-2%3Fdistro=sid" }, { "url": "http://public2.vulnerablecode.io/api/packages/939435?format=api", "purl": "pkg:deb/debian/singularity-container@4.1.5%2Bds4-1?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@4.1.5%252Bds4-1%3Fdistro=sid" } ], "aliases": [ "CVE-2020-15229", "GHSA-7gcp-w6ww-2xv9" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qz7w-3qvp-ykan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/251479?format=api", "vulnerability_id": "VCID-v5ff-gwhq-sqbh", "summary": "Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Function's Return Value.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-33622", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67778", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67812", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67831", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67811", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67862", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67876", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67899", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67886", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67849", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67885", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67898", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67879", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67909", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67913", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67888", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.6793", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67971", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.6794", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.67965", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00547", "scoring_system": "epss", "scoring_elements": "0.68021", "published_at": "2026-05-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-33622" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990201", "reference_id": "990201", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990201" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939441?format=api", "purl": "pkg:deb/debian/singularity-container@3.9.5%2Bds1-2?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@3.9.5%252Bds1-2%3Fdistro=sid" }, { "url": "http://public2.vulnerablecode.io/api/packages/939435?format=api", "purl": "pkg:deb/debian/singularity-container@4.1.5%2Bds4-1?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@4.1.5%252Bds4-1%3Fdistro=sid" } ], "aliases": [ "CVE-2021-33622" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v5ff-gwhq-sqbh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37089?format=api", "vulnerability_id": "VCID-x9mw-wgx6-dyge", "summary": "Execution Control List (ECL) Is Insecure in Singularity\n### Impact\n\nThe Singularity Execution Control List (ECL) allows system administrators to set up a policy that defines rules about what signature(s) must be (or must not be) present on a SIF container image for it to be permitted to run.\n\nIn Singularity 3.x versions below 3.6.0, the following issues allow the ECL to be bypassed by a malicious user:\n\n * Image integrity is not validated when an ECL policy is enforced.\n * The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature. Thus, it is trivial to craft an arbitrary payload which will be permitted to run, even if the attacker does not have access to the private key associated with the fingerprint(s) configured in the ECL.\n\n### Patches\n\nThese issues are addressed in Singularity 3.6.0.\n\nAll users are advised to upgrade to 3.6.0. Note that Singularity 3.6.0 uses a new signature format that is necessarily incompatible with Singularity < 3.6.0 - e.g. Singularity 3.5.3 cannot verify containers signed by 3.6.0.\n\nVersion 3.6.0 includes a `legacyinsecure` option that can be set to `legacyinsecure = true` in `ecl.toml` to allow the ECL to perform verification of the older, and insecure, legacy signatures for compatibility with existing containers. This does not guarantee that containers have not been modified since signing, due to other issues in the legacy signature format. The option should be used only to temporarily ease the transition to containers signed with the new 3.6.0 signature format.\n\n### Workarounds\n\nThis issue affects any installation of Singularity configured to use the Execution Control List (ECL) functionality. There is no workaround if ECL is required.\n\n### For more information\n\nGeneral questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:\n\n* [Singularity Slack Channel](https://bit.ly/2m0g3lX)\n* [Singularity Mailing List](https://groups.google.com/a/lbl.gov/forum/??sdf%7Csort:date#!forum/singularity)\n\nAny sensitive security concerns should be directed to: security@sylabs.io\n\nSee our Security Policy here: https://sylabs.io/security-policy", "references": [ { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html" }, { "reference_url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.html" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2020-13845", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23238", "published_at": "2026-05-14T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.2313", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23023", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23106", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.2318", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23142", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23159", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23299", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23472", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23509", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23293", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23366", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23417", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23436", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23399", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23345", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23362", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23356", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23336", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23145", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00079", "scoring_system": "epss", "scoring_elements": "0.23138", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2020-13845" }, { "reference_url": "https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5c" }, { "reference_url": "https://medium.com/sylabs", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://medium.com/sylabs" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13845", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13845" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040", "reference_id": "965040", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=965040" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939441?format=api", "purl": "pkg:deb/debian/singularity-container@3.9.5%2Bds1-2?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@3.9.5%252Bds1-2%3Fdistro=sid" }, { "url": "http://public2.vulnerablecode.io/api/packages/939435?format=api", "purl": "pkg:deb/debian/singularity-container@4.1.5%2Bds4-1?distro=sid", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@4.1.5%252Bds4-1%3Fdistro=sid" } ], "aliases": [ "CVE-2020-13845", "GHSA-pmfr-63c2-jr5c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x9mw-wgx6-dyge" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/singularity-container@3.9.5%252Bds1-2%3Fdistro=sid" }