Information Exposure Affecting github.com/sylabs/singularity/internal/pkg package, versions >=3.2.0 <3.6.3


0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High
    Integrity High

    Threat Intelligence

    EPSS 0.23% (61st percentile)
Expand this section
NVD
8.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMSYLABSSINGULARITYINTERNALPKG-2322605
  • published 21 Dec 2021
  • disclosed 20 Dec 2021
  • credit Unknown

How to fix?

Upgrade github.com/sylabs/singularity/internal/pkg to version 3.6.3 or higher.

Overview

Affected versions of this package are vulnerable to Information Exposure via insecure permissions on temporary directories used in fakeroot or user namespace container execution.

When a Singularity action command (run, shell, exec) is run with the fakeroot or user namespace option, Singularity will extract a container image to a temporary sandbox directory. Due to insecure permissions on the temporary directory it is possible for any user with access to the system to read the contents of the image. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running container.

Workaround

The issue is mitigated if TMPDIR is set to a location that is only accessible to the user, as any subdirectories directly under TMPDIR cannot then be accessed by others. However, this is difficult to enforce so it is not recommended to rely on this as a mitigation.