CVE-2022-39237

syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa	Patch Third Party Advisory
https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8	Third Party Advisory
https://security.gentoo.org/glsa/202210-19	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*

History

14 Jul 2023, 17:24

Type	Values Removed	Values Added
CWE	~~CWE-347~~	CWE-327

Information

Published : 2022-10-06 18:16

Updated : 2024-02-28 19:29

NVD link : CVE-2022-39237

Mitre link : CVE-2022-39237

CVE.ORG link : CVE-2022-39237

JSON object : View

Products Affected

sylabs

singularity_image_format

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2022-39237", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2022-10-06T18:16:10.160", "references": [{"url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.gentoo.org/glsa/202210-19", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-327"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure."}, {"lang": "es", "value": "syslabs/sif es la implementaci\u00f3n de referencia del Formato de Imagen de Singularidad (SIF). En las versiones anteriores a 2.8.1, el paquete \"github.com/sylabs/sif/v2/pkg/integrity\" no verificaba que los algoritmos hash usados fueran criptogr\u00e1ficamente seguros cuando eran verificadas las firmas digitales. Se presenta un parche disponible en versiones posteriores a v2.8.1 incluy\u00e9ndola, del m\u00f3dulo. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizarse pueden comprobar de forma independiente que los algoritmos de hash usados para el resumen de metadatos y el hash de la firma son criptogr\u00e1ficamente seguros"}], "lastModified": "2023-07-14T17:24:50.857", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55B4B89E-C630-4A9C-9AE5-8EB9FBCC5336", "versionEndExcluding": "2.8.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}