{"id":3684612,"name":"github.com/hpcng/singularity","ecosystem":"go","description":"","homepage":"https://github.com/hpcng/singularity","licenses":"BSD-3-Clause","normalized_licenses":["BSD-3-Clause"],"repository_url":"https://github.com/hpcng/singularity","keywords_array":[],"namespace":"github.com/hpcng","versions_count":18,"first_release_published_at":"2018-08-19T18:22:03.000Z","latest_release_published_at":"2019-04-02T21:48:41.000Z","latest_release_number":"v3.1.1+incompatible","last_synced_at":"2026-06-18T11:01:16.323Z","created_at":"2022-04-11T11:08:02.543Z","updated_at":"2026-06-18T11:01:16.323Z","registry_url":"https://pkg.go.dev/github.com/hpcng/singularity","install_command":"go get github.com/hpcng/singularity","documentation_url":"https://pkg.go.dev/github.com/hpcng/singularity#section-documentation","metadata":{},"repo_metadata":{},"repo_metadata_updated_at":"2023-03-21T18:57:07.045Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":9,"rankings":{"downloads":null,"dependent_repos_count":1.734824651058801,"dependent_packages_count":9.557939438810688,"stargazers_count":null,"forks_count":null,"docker_downloads_count":0.5535859859328492,"average":3.9487833586007794},"purl":"pkg:golang/github.com/hpcng/singularity","advisories":[{"uuid":"GSA_kwCzR0hTQS00eDMyLWgyOTYtcmc2as4AATbw","url":"https://github.com/advisories/GHSA-4x32-h296-rg6j","title":"Singularity Incorrect Access Control ","description":"Singularity 2.3.0 through 2.5.1 is affected by an incorrect access control on systems supporting overlay file system. When using the overlay option, a malicious user may access sensitive information by exploiting a few specific Singularity features.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-05-14T01:01:38.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.5,"cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2018-12021","https://github.com/singularityware/singularity/releases/tag/2.5.2","http://www.openwall.com/lists/oss-security/2019/05/16/1","https://github.com/advisories/GHSA-4x32-h296-rg6j"],"source_kind":"github","identifiers":["GHSA-4x32-h296-rg6j","CVE-2018-12021"],"repository_url":"https://github.com/singularityware/singularity","blast_radius":0.0,"created_at":"2023-07-22T01:03:37.462Z","updated_at":"2026-05-19T03:08:15.411Z","epss_percentage":0.00427,"epss_percentile":0.62527,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00eDMyLWgyOTYtcmc2as4AATbw","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS00eDMyLWgyOTYtcmc2as4AATbw","packages":[{"ecosystem":"go","package_name":"github.com/hpcng/singularity","versions":[{"first_patched_version":"2.5.2","vulnerable_version_range":"\u003e= 2.3.0, \u003c= 2.5.1"}],"purl":"pkg:go/github.com%2Fhpcng%2Fsingularity"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00eDMyLWgyOTYtcmc2as4AATbw/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpxNDItaGZjaC00MmYz","url":"https://github.com/advisories/GHSA-jq42-hfch-42f3","title":"Action Commands (run/shell/exec) Against Library URIs Ignore Configured Remote Endpoint","description":"# Impact\nDue to incorrect use of a default URL, `singularity` action commands (`run`/`shell`/`exec`) specifying a container using a `library://` URI will always attempt to retrieve the container from the default remote endpoint (`cloud.sylabs.io`) rather than the configured remote endpoint.\n\nAn attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.\n\nOnly action commands (`run`/`shell`/`exec`) against `library://` URIs are affected. Other commands such as `pull` / `push` respect the configured remote endpoint.\n\n# Patches\nAll users should upgrade to Singularity 3.7.4 or later.\n\n# Workarounds\nUsers who only interact with the default remote endpoint or do not use the library:// url are not affected.\n\nInstallations with an execution control list configured to restrict execution to containers signed with specific secure keys are not affected.\n\n# Acknowledgements\nThis issue was found by Mike Frisch and brought to our attention by Sylabs.  Sylabs is making a [coordinated disclosure](https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394).\n\n# For more information\nGeneral questions about the impact of the advisory can be asked in the:\n\n[Singularity Slack Channel](https://join.slack.com/t/hpcng/shared_invite/zt-qda4h1ls-OP0Uouq6sSmVE6i_0NrWdw)\n[Singularity Mailing List](https://groups.google.com/a/lbl.gov/g/singularity)\nAny sensitive security concerns should be directed to: [singularity-security@hpcng.org](mailto:singularity-security@hpcng.org)\n","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2021-06-01T21:20:53.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","references":["https://github.com/hpcng/singularity/security/advisories/GHSA-jq42-hfch-42f3","https://github.com/sylabs/singularity/security/advisories/GHSA-5mv9-q7fq-9394","https://github.com/advisories/GHSA-jq42-hfch-42f3"],"source_kind":"github","identifiers":["GHSA-jq42-hfch-42f3"],"repository_url":"https://github.com/hpcng/singularity","blast_radius":0.0,"created_at":"2022-12-21T16:13:00.220Z","updated_at":"2026-05-04T17:10:48.791Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpxNDItaGZjaC00MmYz","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpxNDItaGZjaC00MmYz","packages":[{"ecosystem":"go","package_name":"github.com/hpcng/singularity","versions":[{"first_patched_version":"3.7.4","vulnerable_version_range":"\u003e= 3.7.2, \u003c 3.7.4"}],"purl":"pkg:go/github.com%2Fhpcng%2Fsingularity"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWpxNDItaGZjaC00MmYz/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/hpcng/singularity","docker_dependents_count":15,"docker_downloads_count":991425,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/hpcng/singularity","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/hpcng/singularity/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fhpcng%2Fsingularity/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fhpcng%2Fsingularity/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fhpcng%2Fsingularity/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fhpcng%2Fsingularity/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fhpcng%2Fsingularity/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fhpcng%2Fsingularity/codemeta","maintainers":[]}