CVE-2020-25040

Name of the Vulnerable Software and Affected Versions Sylabs Singularity versions 3.6.2 and earlier

Description The issue concerns insecure permissions on temporary directories used in explicit and implicit container build operations. When a Singularity command that results in a container build operation is executed, it is possible for a user with access to the system to read the contents of the image during the build. Additionally, if the image contains a world-writable file or directory, it is possible for a user to inject arbitrary content into the running build, which in certain circumstances may enable arbitrary code execution during the build and/or when the built container is run.

Recommendations For Sylabs Singularity versions 3.6.2 and earlier, upgrade to version 3.6.3 to address the issue. As a temporary workaround, consider setting TMPDIR to a location that is only accessible to the user, however, this is difficult to enforce and not recommended to rely on as a mitigation.