cvedb.io
CVE-2022-23538
MEDIUM · CVSS 5.2
EPSS exploitation probability: 0%
Published 2023-01-17T21:15:11.827 · Last modified 2026-06-17T04:30:19.003

Summary

github.com/sylabs/scs-library-client is the Go client for the Singularity Container Services (SCS) Container Library Service. When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the client to a backing S3 storage server, to perform a multi-part concurrent download. Depending on site configuration, the S3 service may be provided by a third party. An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. The vulnerable multi-part concurrent download flow, with redirect to S3, is only used when commun

Affected products

sylabs — singularity_container_services_library

Does this affect you?

Add your gear to cvedb and we'll alert you only when sylabs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.