Vulnerability Description
Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared against the signature object descriptor(s) in the SIF file, rather than to a cryptographically validated signature.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sylabs | Singularity | >= 3.0.0, <= 3.5.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.htmlBroken Link
- https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5cThird Party Advisory
- https://medium.com/sylabsThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00046.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.htmlBroken Link
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00053.htmlBroken Link
- https://github.com/hpcng/singularity/security/advisories/GHSA-pmfr-63c2-jr5cThird Party Advisory
- https://medium.com/sylabsThird Party Advisory
FAQ
What is CVE-2020-13845?
CVE-2020-13845 is a vulnerability with a CVSS score of 7.5 (HIGH). Sylabs Singularity 3.0 through 3.5 has Improper Validation of an Integrity Check Value. Image integrity is not validated when an ECL policy is enforced. The fingerprint required by the ECL is compared...
How severe is CVE-2020-13845?
CVE-2020-13845 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-13845?
Check the references section above for vendor advisories and patch information. Affected products include: Sylabs Singularity.