CVE-2022-23538: 
Linux Alpine vulnerability analysis and mitigation

CVE-2022-23538 affects the github.com/sylabs/scs-library-client, which is the Go client for the Singularity Container Services (SCS) Container Library Service. The vulnerability was discovered and disclosed in January 2023, affecting versions 1.3.2, 1.3.3, 1.4.0, and 1.4.1 of the library client (GitHub Advisory).

The vulnerability occurs when the scs-library-client performs container image pulls with authentication. During a specific flow where the library service redirects the client to a backing S3 storage server for multi-part concurrent downloads, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to the S3 backing storage provider. The vulnerability has been assigned a CVSS v3.1 base score of 5.2 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N and is classified as CWE-522 (Insufficiently Protected Credentials) (GitHub Advisory, NVD).

An attacker with access to the S3 service may be able to extract user credentials, allowing them to impersonate the user. This vulnerability only affects communications with Singularity Enterprise 1.x installations or third-party servers implementing the vulnerable flow. Interactions with Singularity Enterprise 2.x and Singularity Container Services (cloud.sylabs.io) are not affected (GitHub Advisory).

The vulnerability has been patched in versions >=1.3.4 < 1.4.0 and >=1.4.2. For version 1.3 series, the fix was implemented in commit 68ac4ca, while for the 1.4 series, the fix was implemented in commit eebd7ca. Users who interact with a Singularity Enterprise 1.x installation using a third-party S3 storage service are advised to revoke and recreate their authentication tokens within Singularity Enterprise. No other workarounds are available (GitHub Advisory).