CVE-2022-39237

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39237
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39237.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-39237
Aliases
Downstream
Related
Published
2022-10-06T00:00:00Z
Modified
2025-10-14T19:13:08.571931Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Digital Signature Hash Algorithms Not Validated in sylabs/sif
Details

syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the github.com/sylabs/sif/v2/pkg/integrity package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

Affected packages

Git / github.com/sylabs/sif

Affected ranges

Type
GIT
Repo
https://github.com/sylabs/sif
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.10
v1.0.3
v1.0.3-beta.1
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.3.0
v1.4.0
v1.4.1

v2.*

v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-alpha.5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-beta.6
v2.0.1
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.5.0
v2.6.0
v2.7.0
v2.7.1
v2.7.2
v2.8.0