CVE-2022-39237 — Vulnetix

CVE-2022-39237 PUBLISHED CVSS 6.300000190734863 MEDIUM

syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

EPSS 0.25% · 48.8th percentile

Risk Scores

CVSS 3.1

6.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

EPSS Score

0.25%

48.8th percentile

Affected Products

Vendor	Product	Versions
sylabs	sif	< 2.8.1
sylabs	singularity_image_format	0
github.com	sylabs/sif/v2	0

Exploit Intelligence

CIRCL seen: CVE-2022-39237 (circl-sighting)
https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 (circl)
https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa (circl)
GLSA-202210-19 (circl)

Timeline

Oct 6, 2022 CVE Published
Oct 6, 2022 PoC Published
Oct 7, 2022 CVE Updated
Oct 7, 2022 EPSS Score
Nov 20, 2022 EPSS Score
Jan 3, 2023 EPSS Score
Feb 17, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Apr 2, 2023 EPSS Score
May 16, 2023 EPSS Score
Jun 29, 2023 EPSS Score
Aug 12, 2023 EPSS Score

References

https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 url
https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa url
GLSA-202210-19 vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2022-39237 advisory
https://github.com/sylabs/sif package
https://github.com/sylabs/sif/releases/tag/v2.8.1 url
https://nvd.nist.gov/vuln/detail/cve-2004-2761 advisory
https://nvd.nist.gov/vuln/detail/cve-2005-4900 advisory
https://pkg.go.dev/vuln/GO-2022-1045 url

Open in Interactive Console →