GHSA-m5m3-46gj-wch8

Suggest an improvement
Source
https://github.com/advisories/GHSA-m5m3-46gj-wch8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-m5m3-46gj-wch8/GHSA-m5m3-46gj-wch8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m5m3-46gj-wch8
Aliases
Published
2022-10-06T19:54:55Z
Modified
2023-11-08T04:10:16.141610Z
Severity
  • 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
SIF's Digital Signature Hash Algorithms Not Validated
Details

Impact

The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

Patches

A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.

The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa

Workarounds

Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

For more information

If you have any questions or comments about this advisory:

Database specific 
{
    "nvd_published_at": "2022-10-06T18:16:00Z",
    "github_reviewed_at": "2022-10-06T19:54:55Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-327",
        "CWE-347"
    ]
}
References

Affected packages

Go / github.com/sylabs/sif/v2

Package

Name
github.com/sylabs/sif/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/sylabs/sif/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.1