CVE-2019-11328

Aliases:GHSA-557g-r22w-9wvx
Advisory lineage Upstream: 0 Downstream: 3
Modified
Published: 14 May 2019, 20:24
Last modified:04 Aug 2024, 22:48

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9 HIGH
v2.0 (nvd)
EPSS Score
0.61% LOW
1% probability -0.24%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

14 May 2019, 20:24
Published
Vulnerability first disclosed
04 Aug 2024, 22:48
Last Modified
Vulnerability information updated

Description

An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a malicious user with local/network access to the host system (e.g. ssh) could exploit this vulnerability due to insecure permissions allowing a user to edit files within `/run/singularity/instances/sing/<user>/<instance>`. The manipulation of those files can change the behavior of the starter-suid program when instances are joined resulting in potential privilege escalation on the host.

CVSS Metrics

  • v3.1HIGHScore: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • v3.0HIGHScore: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • v2.0HIGHScore: 9AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.61% Percentile: 70%

Techniques & Countermeasures

  • CWE-732Incorrect Permission Assignment for Critical Resource

    The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Affected Systems

  • fedoraprojectfedora

    28 | 29 | 30

  • github.com/sylabssingularity

    ≥ 3.1.0, < 3.2.0

  • opensusebackports

    sle-15 | sle-15:sp1

  • opensuseleap

    15.1

  • sylabssingularity

    ≥ 3.1.0, < 3.2.0 | 3.2.0 | 3.2.0:rc1 | 3.2.0:rc2

References (13)