#VU71422 Insufficiently protected credentials in SCS Library Client


Published: 2023-01-23

Vulnerability identifier: #VU71422

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-23538

CWE-ID: CWE-522

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SCS Library Client
Client/Desktop applications / Other client software

Vendor: Sylabs

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to insufficiently protected credentials when pulling container images. A remote administrator can obtain the HTTP Authorization header.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

SCS Library Client: 1.3.2 - 1.4.1

External links
http://github.com/sylabs/scs-library-client/commit/68ac4cab5cda0afd8758ff5b5e2e57be6a22fcfa
http://github.com/sylabs/scs-library-client/commit/b5db2aacba6bf1231f42dd475cc32e6355ab47b2
http://github.com/sylabs/scs-library-client/commit/eebd7caaab310b1fa803e55b8fc1acd9dcd2d00c
http://github.com/sylabs/scs-library-client/security/advisories/GHSA-7p8m-22h4-9pj7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora 37 update for apptainer
Fedora EPEL 9 update for apptainer
Fedora EPEL 8 update for apptainer
Fedora 36 update for apptainer
Fedora EPEL 7 update for apptainer
Fedora EPEL 7 update for singularity-ce
Fedora EPEL 8 update for singularity-ce
Fedora EPEL 9 update for singularity-ce
Insufficiently protected credentials in SCS Library Client