GHSA-WQCR-7RF3-F64M

Vulnerability from github – Published: 2026-06-04 17:38 – Updated: 2026-06-04 17:38
VLAI
Summary
Singluarity: Incorrect path matching for 'limit container paths' directive
Details

Impact

The limit container paths directive in singularity.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed.

For example, the configuration:

limit container paths = /data/safe

Will also allow containers in /data/safe-but-unsafe to be run.

Patches

This issue is patched in SingularityCE 4.4.2 and SingularityPRO 4.3.9 / 4.1.14

Workarounds

If you do not use the limit container paths functionality, then this issue does not affect your installation.

If you do use the limit container paths functionality then you must update. Please also review the documented limitations when user namespaces are enabled [1].

Severity
4.8 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sylabs/singularity"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "3.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T17:38:21Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe `limit container paths` directive in `singularity.conf` is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed.\n\nFor example, the configuration:\n\n```\nlimit container paths = /data/safe\n```\n\nWill also allow containers in `/data/safe-but-unsafe` to be run.\n\n\n### Patches\n\nThis issue is patched in SingularityCE 4.4.2 and SingularityPRO 4.3.9 / 4.1.14\n\n### Workarounds\n\nIf you do not use the `limit container paths` functionality, then this issue does not affect your installation.\n\nIf you do use the `limit container paths` functionality then you must update. Please also review the documented limitations when user namespaces are enabled [1].",
  "id": "GHSA-wqcr-7rf3-f64m",
  "modified": "2026-06-04T17:38:21Z",
  "published": "2026-06-04T17:38:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/security/advisories/GHSA-wqcr-7rf3-f64m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/commit/c08791793e843d4c9c1f2fc1d9d12abef747378f"
    },
    {
      "type": "WEB",
      "url": "https://docs.sylabs.io/guides/latest/admin-guide/configfiles.html#limiting-container-execution"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sylabs/singularity"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sylabs/singularity/releases/tag/v4.4.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Singluarity: Incorrect path matching for \u0027limit container paths\u0027 directive"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.