PT-2019-12243 · Sylabs+1 · Singularity+1

Matthias Gerstner

Published

2019-05-14

Updated

2024-06-15

CVE-2019-11328

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Singularity versions 3.1.0 through 3.2.0-rc2

Description An issue allows a malicious user with local or network access to the host system to exploit insecure permissions. This enables the user to edit files within /run/singularity/instances/sing/<user>/<instance>, potentially changing the behavior of the starter-suid program when instances are joined, resulting in possible privilege escalation on the host.

Recommendations For Singularity versions 3.1.0 through 3.2.0-rc2, consider restricting access to the /run/singularity/instances/sing/<user>/<instance> directory to prevent unauthorized file edits until a patch is available.

Exploit

Fix

Incorrect Permission

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732CWE-269

Related Identifiers

CVE-2019-11328

GHSA-557G-R22W-9WVX

OPENSUSE-SU-2019:2288-1

OPENSUSE-SU-2020:1037-1

OPENSUSE-SU-2020_1037-1

OPENSUSE-SU-2024:11384-1

Affected Products

Singularity

Suse

PT-2019-12243 · Sylabs+1 · Singularity+1

CVE-2019-11328

Weakness Enumeration

Related Identifiers

Affected Products

References · 38