VDB
CVE-2021-29499
CVE-2021-29499
PUBLISHED
SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.
EPSS 0.32% · 55.1th percentile
Risk Scores
EPSS Score
0.32%
55.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:24.04:LTS | singularity-container | 4.1.1+ds2-1, 4.1.1+ds2-1build1, 4.1.1+ds2-1ubuntu0.2 |
| Ubuntu:25.10 | singularity-container | 0, 4.1.5+ds4-1 |
| Ubuntu:20.04:LTS | golang-github-sylabs-sif | 1.0.9-1, 0 |
| Ubuntu:25.10 | golang-github-sylabs-sif | 2.21.0-1, 0 |
| Ubuntu:Pro:18.04:LTS | singularity-container | 2.3.2-1, 2.4.2-2, 2.4.2-4 |
| Ubuntu:22.04:LTS | golang-github-sylabs-sif | 1.0.9-2.1, 1.0.9-2.1build1, 1.0.9-2.1ubuntu0.1 |
| Ubuntu:24.04:LTS | golang-github-sylabs-sif | 2.8.3-2ubuntu0.24.04.2, 0, 2.8.3-2ubuntu0.24.04.1 |
Exploit Intelligence
Timeline
- May 7, 2021 CVE Published
- May 8, 2021 EPSS Score
- May 19, 2021 CVE Updated
- Jul 11, 2021 EPSS Score
- Sep 11, 2021 EPSS Score
- Nov 12, 2021 EPSS Score
- Jan 13, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 15, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 16, 2022 EPSS Score
- Jul 18, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-29499 third-party-advisory
- https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-29499 third-party-advisory
- https://github.com/sylabs/sif/commit/193962882122abf85ff5f5bcc86404933e71c07d third-party-advisory