CVE-2021-32635

Aliases:GHSA-5mv9-q7fq-9394

Advisory lineage Upstream: 0 Downstream: 3

Downstream

MGASA-2022-0006 OPENSUSE-SU-2024:11384-1 UBUNTU-CVE-2021-32635

Modified

Published: 28 May 2021, 20:20

Last modified:03 Aug 2024, 23:25

Vulnerability Summary

Overall Risk (default)

medium

27/100

CVSS Score

6.8 MEDIUM

v2.0 (nvd)

EPSS Score

0.63% LOW

1% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

28 May 2021, 20:20

Published

Vulnerability first disclosed

03 Aug 2024, 23:25

Last Modified

Vulnerability information updated

Description

Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.

CVSS Metrics

v3.1•MEDIUM•Score: 6.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.63%• Percentile: 71%

Techniques & Countermeasures

CWE-923•Improper Restriction of Communication Channel to Intended Endpoints
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.
CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

github.com/sylabs•singularity
≥ 3.7.2, < 3.7.4
sylabs•singularity
3.7.2 | 3.7.3 | ≥ 3.7.2, ≤ 3.7.3