CVE-2019-19724
Published: 18 December 2019
Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
singularity-container Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| disco |
Not vulnerable
(code not present)
|
|
| eoan |
Not vulnerable
(code not present)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.5.2+ds1-1)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/sylabs/singularity/commit/2cda4981812c29f0fb11d3ea6aaf6139f665a631 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |