| id: GO-TEST-ID |
| modules: |
| - module: github.com/apptainer/sif |
| versions: |
| - introduced: 1.2.1-0.20180103161547-0ef6afb2f6cd |
| fixed: 1.2.1-0.20180404165556-75cca531ea76 |
| - module: github.com/satori/go.uuid |
| versions: |
| - introduced: 1.2.1-0.20180103161547-0ef6afb2f6cd |
| fixed: 1.2.1-0.20180404165556-75cca531ea76 |
| vulnerable_at: 1.2.0 |
| summary: github.com/satori/go.uuid has Predictable SIF UUID Identifiers |
| description: |- |
| ### Impact |
| |
| The siftool new command produces predictable UUID identifiers due to insecure |
| randomness in the version of the `github.com/satori/go.uuid` module used as a |
| dependency. |
| |
| ### Patches |
| |
| A patch is available in version >= v1.2.1-0.20180404165556-75cca531ea76 of the |
| module. Users are encouraged to upgrade. |
| |
| Fixed by https://github.com/hpcng/sif/pull/90 |
| |
| ### Workarounds |
| |
| Users passing CreateInfo struct should ensure the ID field is generated using a |
| version of github.com/satori/go.uuid that is not vulnerable to this issue. |
| Unfortunately, the latest tagged release is vulnerable to this issue. One way to |
| obtain a non-vulnerable version is: |
| |
| `go get -u github.com/satori/go.uuid@v1.2.1-0.20180404165556-75cca531ea76` |
| |
| ### References |
| |
| https://github.com/satori/go.uuid/issues/73 |
| |
| ### For more information |
| |
| If you have any questions or comments about this advisory: |
| |
| Open an issue in https://github.com/hpcng/sif/issues |
| cves: |
| - CVE-2021-3538 |
| ghsas: |
| - GHSA-33m6-q9v5-62r7 |
| references: |
| - advisory: https://github.com/hpcng/sif/security/advisories/GHSA-33m6-q9v5-62r7 |
| - advisory: https://nvd.nist.gov/vuln/detail/CVE-2021-3538 |
| - report: https://github.com/satori/go.uuid/issues/73 |
| - fix: https://github.com/satori/go.uuid/pull/75 |
| - fix: https://github.com/satori/go.uuid/commit/75cca531ea763666bc46e531da3b4c3b95f64557 |
| - web: https://bugzilla.redhat.com/show_bug.cgi?id=1954376 |
| - web: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488 |
| notes: |
| - lint: 'github.com/apptainer/sif: 2 versions do not exist: 1.2.1-0.20180103161547-0ef6afb2f6cd, 1.2.1-0.20180404165556-75cca531ea76' |
| - lint: 'github.com/satori/go.uuid: vulnerable_at version 1.2.0 is not inside vulnerable range' |
| - lint: references should contain at most one advisory link |
| - lint: summary should begin with a capital letter |