CVE-2022-39237 MEDIUM

CVE-2022-39237: Digital Signature Hash Algorithms Not Validated in sylabs/sif

Vendor Sylabs
Product sif
Weakness CWE-347
Published October 6, 2022
Last update April 23, 2025

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

syslabs/sif is the Singularity Image Format (SIF) reference implementation. In versions prior to 2.8.1the `github.com/sylabs/sif/v2/pkg/integrity` package did not verify that the hash algorithm(s) used are cryptographically secure when verifying digital signatures. A patch is available in version >= v2.8.1 of the module. Users are encouraged to upgrade. Users unable to upgrade may independently validate that the hash algorithm(s) used for metadata digest(s) and signature hash are cryptographically secure.

Key dates

02Disclosure timeline

October 6, 2022 CVE published
April 23, 2025 Record updated