What is the vulnerability ID of this Singularity issue?

The vulnerability ID is CVE-2021-32635.

Which versions of Singularity are affected by this vulnerability?

Versions 3.7.2 and 3.7.3 of Singularity are affected.

How does this vulnerability occur in Singularity?

Due to incorrect use of a default URL, Singularity action commands using a `library://` URI will always attempt to retrieve the container from the default remote endpoint.

What is the severity of CVE-2021-32635?

The severity of CVE-2021-32635 is medium, with a severity value of 6.3.

How can I fix this vulnerability in Singularity?

Update to Singularity version 3.7.4, which contains the fix for CVE-2021-32635.

Are there any references for this vulnerability?

Yes, you can find references for CVE-2021-32635 at the following URLs: [Reference 1](https://github.com/sylabs/singularity/releases/tag/v3.7.4), [Reference 2](https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394), [Reference 3](https://security.gentoo.org/glsa/202107-50).

Vulnerability/
CVE-2021-32635

medium

6.8

CWE

20 923

28/5/2021

3/8/2024

CVE-2021-32635: Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint

First published: Fri May 28 2021(Updated: )

Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Sylabs Singularity	=3.7.2
Sylabs Singularity	=3.7.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID of this Singularity issue?
The vulnerability ID is CVE-2021-32635.
What is Singularity?
Singularity is an open source container platform.
Which versions of Singularity are affected by this vulnerability?
Versions 3.7.2 and 3.7.3 of Singularity are affected.
How does this vulnerability occur in Singularity?
Due to incorrect use of a default URL, Singularity action commands using a `library://` URI will always attempt to retrieve the container from the default remote endpoint.
What is the severity of CVE-2021-32635?
The severity of CVE-2021-32635 is medium, with a severity value of 6.3.
How can I fix this vulnerability in Singularity?
Update to Singularity version 3.7.4, which contains the fix for CVE-2021-32635.
Are there any references for this vulnerability?
Yes, you can find references for CVE-2021-32635 at the following URLs: [Reference 1](https://github.com/sylabs/singularity/releases/tag/v3.7.4), [Reference 2](https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394), [Reference 3](https://security.gentoo.org/glsa/202107-50).

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/author
agent/severity
agent/title
agent/weakness
agent/references
agent/last-modified-date
agent/tags
agent/description
agent/first-publish-date
agent/event
vendor/sylabs
canonical/sylabs singularity
version/sylabs singularity/3.7.2
version/sylabs singularity/3.7.3