PT-2022-24831 · Sylabs+2 · Sif+2

Tri-Adam

Published

2022-10-06

Updated

2024-06-20

CVE-2022-39237

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions syslabs/sif versions prior to 2.8.1

Description The issue concerns the verification of digital signatures in the Singularity Image Format (SIF) reference implementation. Specifically, the github.com/sylabs/sif/v2/pkg/integrity package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. Users are encouraged to upgrade to a version where this issue is fixed. For users unable to upgrade, it is recommended to independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

Recommendations For versions prior to 2.8.1, upgrade to version 2.8.1 or later. As a temporary workaround for users unable to upgrade, consider independently validating the hash algorithm(s) used for metadata digest(s) and signature hash to ensure they are cryptographically secure.

Exploit

Fix

Improper Verification of Cryptographic Signature

Use of a Broken Cryptographic Algorithm

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347CWE-327

Related Identifiers

CVE-2022-39237

GHSA-M5M3-46GJ-WCH8

GO-2022-1045

OPENSUSE-SU-2023:0018-1

OPENSUSE-SU-2023_0018-1

OPENSUSE-SU-2024:12389-1

OPENSUSE-SU-2024:14059-1

Affected Products

Debian

Suse

Sif

PT-2022-24831 · Sylabs+2 · Sif+2

CVE-2022-39237

Weakness Enumeration

Related Identifiers

Affected Products

References · 35