In singularity 3.7.2 and 3.7.3, action commands against library:// URIs erroneously always used the default remote endpoint (cloud.sylabs.io). An attacker may be able to push a malicious container to the default remote endpoint with a URI that is identical to the URI used by a victim with a non-default remote endpoint, thus executing the malicious container.
Created singularity tracking bugs for this issue: Affects: epel-all [bug 1965514] Affects: fedora-all [bug 1965513]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.