vulnerability
Ubuntu: (CVE-2022-39237): golang-github-sylabs-sif vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Oct 6, 2022 | Jun 26, 2025 | Aug 18, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Oct 6, 2022
Added
Jun 26, 2025
Modified
Aug 18, 2025
Description
syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.
Solution
no-fix-ubuntu-package
References
- CVE-2022-39237
- https://attackerkb.com/topics/CVE-2022-39237
- CWE-327
- CWE-347
- URL-https://github.com/sylabs/sif/commit/07fb86029a12e3210f6131e065570124605daeaa
- URL-https://github.com/sylabs/sif/commit/21972852d8783bc93fbf080190de8e1978f1c254
- URL-https://github.com/sylabs/sif/commit/a854038ce1f18237b81d505a1c3be6a60505db52
- URL-https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8
- URL-https://www.cve.org/CVERecord?id=CVE-2022-39237
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.