CVE-2021-29499 - OpenCVE

SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sylabs	Singularity Image Format

Configuration 1 [-]

cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-05-07T20:50:09

Updated: 2024-08-03T22:11:05.383Z

Reserved: 2021-03-30T00:00:00

Link: CVE-2021-29499

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-05-07T21:15:07.377

Modified: 2021-05-19T18:53:48.487

Link: CVE-2021-29499

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "sif", "vendor": "sylabs", "versions": [{"status": "affected", "version": "<= 1.2.2"}]}], "descriptions": [{"lang": "en", "value": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-330", "description": "CWE-330 Use of Insufficiently Random Values", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-07T20:50:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg"}], "source": {"advisory": "GHSA-4gh8-x3vv-phhg", "discovery": "UNKNOWN"}, "title": "Predictable SIF UUID Identifiers", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-29499", "STATE": "PUBLIC", "TITLE": "Predictable SIF UUID Identifiers"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "sif", "version": {"version_data": [{"version_value": "<= 1.2.2"}]}}]}, "vendor_name": "sylabs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-330 Use of Insufficiently Random Values"}]}]}, "references": {"reference_data": [{"name": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg", "refsource": "CONFIRM", "url": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg"}]}, "source": {"advisory": "GHSA-4gh8-x3vv-phhg", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:11:05.383Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-29499", "datePublished": "2021-05-07T20:50:09", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2024-08-03T22:11:05.383Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sylabs:singularity_image_format:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B3A7BEE-A544-4235-9DB7-65163E2160F9", "versionEndExcluding": "1.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue."}, {"lang": "es", "value": "SIF es una implementaci\u00f3n de c\u00f3digo abierto del Singularity Container Image Format. El comando \"siftool new\" y func siftool.New() producen identificadores UUID predecibles debido a una aleatoriedad no segura en la versi\u00f3n del m\u00f3dulo `github.com/satori/go.uuid\" usado como dependencia. Un parche disponible en la versi\u00f3n posteriores a v1.2.3 incluy\u00e9ndo la del m\u00f3dulo. Los usuarios est\u00e1n decididos a actualizar. Como soluci\u00f3n alternativa, los usuarios que pasen la estructura CreateInfo deben asegurarse de que el campo \"ID\" se genere utilizando una versi\u00f3n de \"github.com/satori/go.uuid\" que no es vulnerable a este problema"}], "id": "CVE-2021-29499", "lastModified": "2021-05-19T18:53:48.487", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-05-07T21:15:07.377", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sylabs/sif/security/advisories/GHSA-4gh8-x3vv-phhg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-330"}], "source": "security-advisories@github.com", "type": "Primary"}]}