CVE-2021-32635

Name of the Vulnerable Software and Affected Versions Singularity versions 3.7.2 through 3.7.3

Description The issue is related to the incorrect use of a default URL in Singularity, causing singularity action commands (run/shell/exec) to retrieve containers from the default remote endpoint (cloud.sylabs.io) instead of the configured remote endpoint when using a library:// URI. This could allow an attacker to push a malicious container to the default remote endpoint, potentially executing it on a victim's system. Only action commands against library:// URIs are affected, while other commands like pull and push respect the configured remote endpoint.

Recommendations For Singularity versions 3.7.2 and 3.7.3, upgrade to Singularity version 3.7.4 or later to resolve the issue. As a temporary workaround, users can only interact with the default remote endpoint. Alternatively, installations can configure an execution control list to restrict execution to containers signed with specific secure keys.