CVE-2022-24778Incorrect Authorization in Imgcrypt

CWE-863Incorrect AuthorizationCWE-1220Insufficient Granularity of Access Control8 documents5 sources
Severity
7.5HIGHNVD
OSV6.5
EPSS
0.3%
top 43.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Containerd ImgcryptGithub.com Containerd ImgcryptLinuxfoundation Imgcrypt+2 more
Timeline
PublishedMar 25
Latest updateDec 13

Description

The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

CVEListV5containerd/imgcrypt< 1.1.4
Ubuntucontainerd/containerd< 1.5.9-0ubuntu1~18.04.2+2

Also affects: Fedora 34, 35, 36

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
containerd vulnerabilities2022-12-13
OSV
Incorrect authorization in github.com/containerd/imgcrypt2022-04-28
OSV
Incorrect Authorization in imgcrypt2022-03-28
GHSA
Incorrect Authorization in imgcrypt2022-03-28
OSV
CVE-2022-24778: The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for2022-03-25

📋Vendor Advisories

2
Ubuntu
containerd vulnerabilities2022-12-13
Red Hat
imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path2022-03-25