GHSA-jv9c-w74q-6762

Suggest an improvement
Source
https://github.com/advisories/GHSA-jv9c-w74q-6762
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-jv9c-w74q-6762/GHSA-jv9c-w74q-6762.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jv9c-w74q-6762
Aliases
Published
2021-05-24T16:56:23Z
Modified
2023-11-08T04:03:09.544193Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Insecure permissions on build temporary rootfs in Singularity
Details

Impact

Insecure permissions on temporary directories used in explicit and implicit container build operations.

When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.

Patches

This issue is addressed in Singularity 3.6.3.

All users are advised to upgrade to 3.6.3.

Workarounds

The issue is mitigated if TMPDIR is set to a location that is only accessible to the user, as any subdirectories directly under TMPDIR cannot then be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this as a mitigation.

For more information

General questions about the impact of the advisory / changes made in the 3.6.0 release can be asked in the:

Any sensitive security concerns should be directed to: security@sylabs.io

See our Security Policy here: https://sylabs.io/security-policy

References

Affected packages

Go / github.com/sylabs/singularity

Package

Name
github.com/sylabs/singularity
View open source insights on deps.dev
Purl
pkg:golang/github.com/sylabs/singularity

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.6.3