CVE-2022-39237

Aliases:GHSA-m5m3-46gj-wch8GO-2022-1045

Advisory lineage Upstream: 0 Downstream: 5

Downstream

DEBIAN-CVE-2022-39237 OPENSUSE-SU-2023:0018-1 OPENSUSE-SU-2024:12389-1 OPENSUSE-SU-2024:14059-1 UBUNTU-CVE-2022-39237

Modified

Published: 06 Oct 2022, 00:00

Last modified:23 Apr 2025, 16:53

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (nvd)

EPSS Score

0.25% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

06 Oct 2022, 00:00

Published

Vulnerability first disclosed

23 Apr 2025, 16:53

Last Modified

Vulnerability information updated

Description

syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

CVSS Metrics

v3.1•MEDIUM•Score: 6.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.25%• Percentile: 49%

Techniques & Countermeasures

CWE-347•Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-327•Use of a Broken or Risky Cryptographic Algorithm
The product uses a broken or risky cryptographic algorithm or protocol.

Affected Systems

github.com/sylabs/sif•v2
< 2.8.1
sylabs•sif
< 2.8.1
sylabs•singularity_image_format
< 2.8.1