Name of the Vulnerable Software and Affected Versions: Singularity versions prior to 3.7.4

Description: The issue arises from the incorrect use of a default URL in singularity action commands, specifically run, shell, and exec, when a container is specified using a library:// URI. This causes the command to retrieve the container from the default remote endpoint, cloud.sylabs.io, instead of the configured remote endpoint. An attacker could potentially push a malicious container to the default remote endpoint with a URI identical to the one used by a victim, resulting in the execution of the malicious container. Only action commands against library:// URIs are affected, while other commands like pull and push respect the configured remote endpoint.

Recommendations: For versions prior to 3.7.4, upgrade to Singularity 3.7.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of library:// URIs in action commands or configuring an execution control list to restrict execution to containers signed with specific secure keys. Users who only interact with the default remote endpoint or do not use the library:// URL are not affected and do not need to take any action.