Singularity is an open source container platform. In verions 3.7.2 and 3.7.3, Dde to incorrect use of a default URL, singularity action commands (run/shell/exec) specifying a container using a library:// URI will always attempt to retrieve the container from the default remote endpoint (cloud.sylabs.io) rather than the configured remote endpoint. An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container. Only action commands (run/shell/exec) against library:// URIs are affected. Other commands such as pull / push respect the configured remote endpoint. The vulnerability is patched in Singularity version 3.7.4. Two possible workarounds exist: Users can only interact with the default remote endpoint, or an installation can have an execution control list configured to restrict execution to containers signed with specific secure keys.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Singularity | Sylabs | 3.7.2 (including) | 3.7.2 (including) |
| Singularity | Sylabs | 3.7.3 (including) | 3.7.3 (including) |
| Singularity-container | Ubuntu | bionic | * |
| Singularity-container | Ubuntu | trusty | * |
| Singularity-container | Ubuntu | xenial | * |