#VU13896 Race condition in Singularity - CVE-2018-12021

Cybersecurity Help s.r.o.

Published: 2018-07-16 | Updated: 2018-07-17

Vulnerability identifier: #VU13896

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-12021

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Singularity
Universal components / Libraries / Libraries used by multiple products

Vendor: Singularity

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to race condition. A remote attacker can bypass directory image restrictions, like mounting the host root filesystem as a container image and gain access to arbitrary data.

Mitigation
Update to version 2.5.2.

Vulnerable software versions

Singularity: 2.3.0 - 2.5.1

External links
https://github.com/singularityware/singularity/releases/tag/2.5.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for singularity

SUSE Linux update for singularity

Information disclosure in Singularity