Improper Validation of an Integrity Check Value Affecting github.com/sylabs/singularity/internal/pkg package, versions <3.6.0
Snyk CVSS
Attack Complexity
Low
Integrity
High
Threat Intelligence
EPSS
0.11% (44th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMSYLABSSINGULARITYINTERNALPKG-2322172
- published 21 Dec 2021
- disclosed 20 Dec 2021
- credit Adam Hughes
How to fix?
Upgrade github.com/sylabs/singularity/internal/pkg
to version 3.6.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.