CVE-2022-39237 - Vulnerability Details - OpenCVE

syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Sylabs	Singularity Image Format

Configuration 1 [-]

cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa
https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
https://security.gentoo.org/glsa/202210-19

History

Wed, 23 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-06T00:00:00.000Z

Updated: 2025-04-23T16:53:04.342Z

Reserved: 2022-09-02T00:00:00.000Z

Link: CVE-2022-39237

Vulnrichment

Updated: 2024-08-03T12:00:43.155Z

NVD

Status : Modified

Published: 2022-10-06T18:16:10.160

Modified: 2024-11-21T07:17:50.937

Link: CVE-2022-39237

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39237", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:53:04.342Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-06T00:00:00.000Z"}, "containers": {"cna": {"title": "Digital Signature Hash Algorithms Not Validated in sylabs/sif", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-31T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure."}], "affected": [{"vendor": "sylabs", "product": "sif", "versions": [{"version": "< 2.8.1", "status": "affected"}]}], "references": [{"url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"}, {"url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"}, {"name": "GLSA-202210-19", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-19"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "cweId": "CWE-347"}]}], "source": {"advisory": "GHSA-m5m3-46gj-wch8", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.155Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8", "tags": ["x_transferred"]}, {"url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa", "tags": ["x_transferred"]}, {"name": "GLSA-202210-19", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-19"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:56:51.919225Z", "id": "CVE-2022-39237", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:53:04.342Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8", "tags": ["x_transferred"]}, {"url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202210-19", "name": "GLSA-202210-19", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.155Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39237", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T13:56:51.919225Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T13:56:53.174Z"}}], "cna": {"title": "Digital Signature Hash Algorithms Not Validated in sylabs/sif", "source": {"advisory": "GHSA-m5m3-46gj-wch8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "sylabs", "product": "sif", "versions": [{"status": "affected", "version": "< 2.8.1"}]}], "references": [{"url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"}, {"url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"}, {"url": "https://security.gentoo.org/glsa/202210-19", "name": "GLSA-202210-19", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-31T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-39237", "state": "PUBLISHED", "dateUpdated": "2025-04-23T16:53:04.342Z", "dateReserved": "2022-09-02T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-10-06T00:00:00.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*", "matchCriteriaId": "55B4B89E-C630-4A9C-9AE5-8EB9FBCC5336", "versionEndExcluding": "2.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure."}, {"lang": "es", "value": "syslabs/sif es la implementaci\u00f3n de referencia del Formato de Imagen de Singularidad (SIF). En las versiones anteriores a 2.8.1, el paquete \"github.com/sylabs/sif/v2/pkg/integrity\" no verificaba que los algoritmos hash usados fueran criptogr\u00e1ficamente seguros cuando eran verificadas las firmas digitales. Se presenta un parche disponible en versiones posteriores a v2.8.1 incluy\u00e9ndola, del m\u00f3dulo. Es recomendado a usuarios actualizar. Los usuarios que no puedan actualizarse pueden comprobar de forma independiente que los algoritmos de hash usados para el resumen de metadatos y el hash de la firma son criptogr\u00e1ficamente seguros"}], "id": "CVE-2022-39237", "lastModified": "2024-11-21T07:17:50.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-06T18:16:10.160", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-19"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}]}