CVE-2022-39237
Summary
| CVE | CVE-2022-39237 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2022-10-06 18:16:00 UTC |
|---|
| Updated | 2023-07-14 17:24:00 UTC |
|---|
| Description | syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Apptainer: Lack of Digital Signature Hash Verification (GLSA 202210-19) — Gentoo security |
GENTOO |
security.gentoo.org |
|
| Merge pull request from GHSA-m5m3-46gj-wch8 · sylabs/sif@07fb860 · GitHub |
MISC |
github.com |
|
| cve-website |
MISC |
www.cve.org |
|
| Digital Signature Hash Algorithms Not Validated · Advisory · sylabs/sif · GitHub |
CONFIRM |
github.com |
|
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 182404 Debian Security Update for golang-github-sylabs-sif (CVE-2022-39237)
- 505982 Alpine Linux Security Update for apptainer
- 710667 Gentoo Linux Apptainer Lack of Digital Signature Hash Verification Vulnerability (GLSA 202210-19)
- 753532 OpenSUSE Security Update for apptainer (openSUSE-SU-2023:0018-1)
