Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint
Vulnerability Description
Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Vulnerability Type
通信信道对预期端点的不适当限制
Vulnerability Title
Singularity 命令注入漏洞
Vulnerability Description
Singularity是Singularity 团队(Singularity)的一个开源的容器管理平台。该软件支持在其桌面上构建应用程序,并在任何公共云上或在计算边缘运行数百或数千个实例。 Singularity 3.7.2版本和3.7.3版本存在命令注入漏洞,该漏洞允许远程攻击者在目标系统上执行任意命令。
CVSS Information
N/A
Vulnerability Type
N/A