PT-2019-12243 · Sylabs+1 · Singularity+1

Matthias Gerstner

·

Publicado

2019-05-14

·

Atualizado

2024-06-15

·

CVE-2019-11328

CVSS v2.0

9.0

Alta

VetorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Singularity versions 3.1.0 through 3.2.0-rc2
Description An issue allows a malicious user with local or network access to the host system to exploit insecure permissions. This enables the user to edit files within /run/singularity/instances/sing/<user>/<instance>, potentially changing the behavior of the starter-suid program when instances are joined, resulting in possible privilege escalation on the host.
Recommendations For Singularity versions 3.1.0 through 3.2.0-rc2, consider restricting access to the /run/singularity/instances/sing/<user>/<instance> directory to prevent unauthorized file edits until a patch is available.

Exploit

Correção

Incorrect Permission

Improper Privilege Management

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-732CWE-269

Identificadores relacionados

CVE-2019-11328
GHSA-557G-R22W-9WVX
OPENSUSE-SU-2019:2288-1
OPENSUSE-SU-2020:1037-1
OPENSUSE-SU-2020_1037-1
OPENSUSE-SU-2024:11384-1

Produtos afetados

Singularity
Suse