CVE-2019-19724: Incorrect Default Permissions

May 24, 2022 (updated July 18, 2023)

Insecure permissions (777) are set on $HOME/.singularity when it is newly created by Singularity (version from 3.3.0 to 3.5.1), which could lead to an information leak, and malicious redirection of operations performed against Sylabs cloud services.

References

lists.opensuse.org/opensuse-security-announce/2020-01/msg00025.html
lists.opensuse.org/opensuse-security-announce/2020-07/msg00059.html
github.com/advisories/GHSA-mj73-5x75-9phh
github.com/sylabs/singularity/releases/tag/v3.5.2
nvd.nist.gov/vuln/detail/CVE-2019-19724

Detect and mitigate CVE-2019-19724 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →