Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-M5M3-46GJ-WCH8
HistoryOct 06, 2022 - 7:54 p.m.

SIF's Digital Signature Hash Algorithms Not Validated

2022-10-0619:54:55
Google
osv.dev
14
digital signature validation
hash algorithm
cryptographic security
patch
upgrade
metadata digest
signature hash
cve-2004-2761
cve-2005-4900

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.012 Low

EPSS

Percentile

85.2%

JSON

Impact

The github.com/sylabs/sif/v2/pkg/integrity package does not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures.

Patches

A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade.

The patch is commit https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa

Workarounds

Users may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

For more information

If you have any questions or comments about this advisory:

CPENameOperatorVersion
github.com/sylabs/sif/v2lt2.8.1

Related

github 2
nessus 11
gentoo 1
openvas 14
fedora 2
veracode 3
cvelist 4
cve 5
nvd 5
fortinet 1
f5 2
alpinelinux 1
cnvd 1
debiancve 2
ubuntucve 3
osv 4
ubuntu 1
prion 3
suse 1
redhatcve 1
redhat 1
ics 1
oracle 1
github
github
SIF's Digital Signature Hash Algorithms Not Validated
2022-10-06 19:54:55
Use of a weak cryptographic algorithm in Gradle
2022-05-24 16:56:18
nessus
nessus
SSL Certificate Signed Using Weak Hashing Algorithm
2009-01-05 00:00:00
Fedora 10 : nss-3.12.2.0-4.fc10 (2009-1291)
2009-04-23 00:00:00
Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : nss, firefox vulnerability (USN-740-1)
2009-04-23 00:00:00
gentoo
gentoo
Apptainer: Lack of Digital Signature Hash Verification
2022-10-31 00:00:00
openvas
openvas
Fedora Core 10 FEDORA-2009-1291 (nss)
2009-02-10 00:00:00
Fedora Core 10 FEDORA-2009-1291 (nss)
2009-02-10 00:00:00
Fedora Core 9 FEDORA-2009-1276 (nss)
2009-02-10 00:00:00
fedora
fedora
[SECURITY] Fedora 9 Update: nss-3.12.2.0-2.fc9
2009-02-05 02:13:54
[SECURITY] Fedora 10 Update: nss-3.12.2.0-4.fc10
2009-02-05 02:15:23
veracode
veracode
Spoofing Attacks
2020-04-10 00:55:19
Collision Attack
2017-08-14 04:39:15
Improper Verification Of Cryptographic Signatures
2022-10-07 09:37:48
cvelist
cvelist
CVE-2004-2761
2009-01-05 20:00:00
CVE-2005-4900
2016-10-14 16:00:00
CVE-2022-39237 Digital Signature Hash Algorithms Not Validated in sylabs/sif
2022-10-06 00:00:00
cve
cve
CVE-2005-4900
2016-10-14 16:59:00
CVE-2004-2761
2009-01-05 20:30:02
CVE-2022-39237
2022-10-06 18:16:10
nvd
nvd
CVE-2005-4900
2016-10-14 16:59:00
CVE-2004-2761
2009-01-05 20:30:02
CVE-2022-39237
2022-10-06 18:16:10
fortinet
fortinet
FortiOS SSL Deep-Inspection Proxy Mode badssl.com Compliance
2018-05-16 00:00:00
f5
f5
K15578 : MD5 Message-Digest Algorithm vulnerability CVE-2004-2761
2014-09-11 00:00:00
SOL15578 - MD5 Message-Digest Algorithm vulnerability CVE-2004-2761
2014-09-11 00:00:00
alpinelinux
alpinelinux
CVE-2022-39237
2022-10-06 18:16:10
cnvd
cnvd
Singularity Image Format Encryption Problem Vulnerability
2022-10-10 00:00:00
debiancve
debiancve
CVE-2022-39237
2022-10-06 18:16:10
CVE-2019-16370
2019-09-16 18:15:12
ubuntucve
ubuntucve
CVE-2004-2761
2009-01-05 00:00:00
CVE-2022-39237
2022-10-06 00:00:00
CVE-2019-16370
2019-09-16 00:00:00
osv
osv
Improper validation of signature hash algorithms in github.com/sylabs/sif/v2
2022-10-21 15:34:36
CVE-2022-39237
2022-10-06 18:16:10
Use of a weak cryptographic algorithm in Gradle
2022-05-24 16:56:18
ubuntu
ubuntu
NSS vulnerability
2009-03-17 00:00:00
prion
prion
Design/Logic Flaw
2022-10-06 18:16:00
Denial of service
2019-09-16 18:15:00
Design/Logic Flaw
2016-09-18 02:59:00
suse
suse
Security update for subversion (important)
2017-08-17 00:09:05
redhatcve
redhatcve
CVE-2019-16370
2019-10-07 06:36:52
redhat
redhat
(RHSA-2010:0838) Moderate: pki security and enhancement update
2010-11-08 00:00:00
ics
ics
Philips Intellispace Portal ISP Vulnerabilities
2018-02-27 12:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.012 Low

EPSS

Percentile

85.2%

JSON
Related for OSV:GHSA-M5M3-46GJ-WCH8
github2nessus11gentoo1openvas14fedora2veracode3cvelist4cve5nvd5fortinet1f52alpinelinux1cnvd1debiancve2ubuntucve3osv4ubuntu1prion3suse1redhatcve1redhat1ics1oracle1