Vulnerability Description
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sylabs | Singularity Image Format | < 2.8.1 |
Related Weaknesses (CWE)
References
- https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaaPatchThird Party Advisory
- https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8Third Party Advisory
- https://security.gentoo.org/glsa/202210-19Third Party Advisory
- https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaaPatchThird Party Advisory
- https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8Third Party Advisory
- https://security.gentoo.org/glsa/202210-19Third Party Advisory
FAQ
What is CVE-2022-39237?
CVE-2022-39237 is a vulnerability with a CVSS score of 6.3 (MEDIUM). syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) use...
How severe is CVE-2022-39237?
CVE-2022-39237 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39237?
Check the references section above for vendor advisories and patch information. Affected products include: Sylabs Singularity Image Format.