CVE-2019-19724

CVE-2019-19724

Name

CVE-2019-19724

Description

Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Release Notes	https://github.com/sylabs/singularity/releases/tag/v3.5.2
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00025.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html

Type

URI

Release Notes

https://github.com/sylabs/singularity/releases/tag/v3.5.2

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00025.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:sylabs:singularity::::::::`	singularity	>= 3.3.0	<= 3.5.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:sylabs:singularity:*:*:*:*:*:*:*:*

singularity

>= 3.3.0

<= 3.5.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
singularity	edge-community	3.5.2-r0	None	fixed
singularity	3.22-community	3.5.2-r0	None	fixed
singularity	3.21-community	3.5.2-r0	None	fixed
singularity	3.20-community	3.5.2-r0	None	fixed
singularity	3.19-community	3.5.2-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

singularity

edge-community

3.5.2-r0

None

fixed

singularity

3.22-community