CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS
Percentile
54.3%
Singularity is an open source container platform. In verions 3.7.2 and
3.7.3, Dde to incorrect use of a default URL, singularity
action commands
(run
/shell
/exec
) specifying a container using a library://
URI will
always attempt to retrieve the container from the default remote endpoint
(cloud.sylabs.io
) rather than the configured remote endpoint. An attacker
may be able to push a malicious container to the default remote endpoint
with a URI that is identical to the URI used by a victim with a non-default
remote endpoint, thus executing the malicious container. Only action
commands (run
/shell
/exec
) against library://
URIs are affected.
Other commands such as pull
/ push
respect the configured remote
endpoint. The vulnerability is patched in Singularity version 3.7.4. Two
possible workarounds exist: Users can only interact with the default remote
endpoint, or an installation can have an execution control list configured
to restrict execution to containers signed with specific secure keys.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | singularity-container | < any | UNKNOWN |
ubuntu | 24.04 | noarch | singularity-container | < any | UNKNOWN |
github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3
github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394
launchpad.net/bugs/cve/CVE-2021-32635
nvd.nist.gov/vuln/detail/CVE-2021-32635
security-tracker.debian.org/tracker/CVE-2021-32635
www.cve.org/CVERecord?id=CVE-2021-32635
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS
Percentile
54.3%