Vulnerability Details : CVE-2022-39237
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
Products affected by CVE-2022-39237
- cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39237
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39237
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
6.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
2.8
|
3.4
|
GitHub, Inc. |
CWE ids for CVE-2022-39237
-
The product uses a broken or risky cryptographic algorithm or protocol.Assigned by: nvd@nist.gov (Primary)
-
The product does not verify, or incorrectly verifies, the cryptographic signature for data.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-39237
-
https://security.gentoo.org/glsa/202210-19
Apptainer: Lack of Digital Signature Hash Verification (GLSA 202210-19) — Gentoo securityThird Party Advisory
-
https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
Digital Signature Hash Algorithms Not Validated · Advisory · sylabs/sif · GitHubThird Party Advisory
-
https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa
Merge pull request from GHSA-m5m3-46gj-wch8 · sylabs/sif@07fb860 · GitHubPatch;Third Party Advisory
Jump to