Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2020-15229

Опубликовано: 14 окт. 2020
Источник: ubuntu
Приоритет: medium
EPSS Низкий
CVSS2: 5.8
CVSS3: 8.2

Описание

Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within unsquashfs, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with allow setuid = no) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources library:// or shub://. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods library, shub and localimage are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. All users are advised to upgrade to 3.6.4 especially if they use ...

РелизСтатусПримечание
bionic

not-affected

code not present
devel

DNE

esm-apps/bionic

not-affected

code not present
esm-infra-legacy/trusty

DNE

esm-infra/focal

DNE

focal

DNE

precise/esm

DNE

trusty

ignored

end of standard support
trusty/esm

DNE

upstream

needs-triage

Показывать по

Ссылки на источники

EPSS

Процентиль: 75%
0.00876
Низкий

5.8 Medium

CVSS2

8.2 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2020-15229

CVSS3: 8.2
nvd
больше 5 лет назад

Singularity (an open source container platform) from version 3.1.1 through 3.6.3 has a vulnerability. Due to insecure handling of path traversal and the lack of path sanitization within `unsquashfs`, it is possible to overwrite/create any files on the host filesystem during the extraction with a crafted squashfs filesystem. The extraction occurs automatically for unprivileged (either installation or with `allow setuid = no`) run of Singularity when a user attempt to run an image which is a local SIF image or a single file containing a squashfs filesystem and is coming from remote sources `library://` or `shub://`. Image build is also impacted in a more serious way as it can be used by a root user, allowing an attacker to overwrite/create files leading to a system compromise, so far bootstrap methods `library`, `shub` and `localimage` are triggering the squashfs extraction. This issue is addressed in Singularity 3.6.4. All users are advised to upgrade to 3.6.4 especially if they use Sin

debian логотип

CVE-2020-15229

CVSS3: 8.2
debian
больше 5 лет назад

Singularity (an open source container platform) from version 3.1.1 thr ...

suse-cvrf логотип

openSUSE-SU-2020:1770-1

suse-cvrf
больше 5 лет назад

Security update for singularity

suse-cvrf логотип

openSUSE-SU-2020:1769-1

suse-cvrf
больше 5 лет назад

Security update for singularity

github логотип

GHSA-7gcp-w6ww-2xv9

CVSS3: 8.2
github
больше 4 лет назад

Path traversal and files overwrite with unsquashfs in singularity

EPSS

Процентиль: 75%
0.00876
Низкий

5.8 Medium

CVSS2

8.2 High

CVSS3