CVE-2022-39237

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-39237
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39237.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-39237
Aliases
Related
Published
2022-10-06T18:16:10Z
Modified
2024-10-12T10:05:13.884616Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the github.com/sylabs/sif/v2/pkg/integrity package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

References

Affected packages

Debian:11 / golang-github-sylabs-sif

Package

Name
golang-github-sylabs-sif
Purl
pkg:deb/debian/golang-github-sylabs-sif?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.0.9-2.1

2.*

2.3.1-1
2.3.1-2
2.3.1-3
2.8.3-1
2.8.3-2
2.15.0-1
2.15.1-1
2.15.2-1
2.16.0-1
2.16.0-2
2.17.0-1
2.18.0-1
2.19.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / golang-github-sylabs-sif

Package

Name
golang-github-sylabs-sif
Purl
pkg:deb/debian/golang-github-sylabs-sif?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / golang-github-sylabs-sif

Package

Name
golang-github-sylabs-sif
Purl
pkg:deb/debian/golang-github-sylabs-sif?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/sylabs/sif

Affected ranges

Type
GIT
Repo
https://github.com/sylabs/sif
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.10
v1.0.3
v1.0.3-beta.1
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.3.0
v1.4.0
v1.4.1

v2.*

v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-alpha.5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-beta.6
v2.0.1
v2.1.0
v2.1.1
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.5.0
v2.6.0
v2.7.0
v2.7.1
v2.7.2
v2.8.0