Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-24778

Опубликовано: 25 мар. 2022
Источник: nvd
CVSS3: 7.5
CVSS2: 5
EPSS Низкий

Описание

The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function CheckAuthorization is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other archite

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:linuxfoundation:imgcrypt:*:*:*:*:*:*:*:*
Версия до 1.1.4 (исключая)
Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

EPSS

Процентиль: 56%
0.00333
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-863
CWE-863

Связанные уязвимости

ubuntu логотип

CVE-2022-24778

CVSS3: 7.5
ubuntu
почти 4 года назад

The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other arch...

redhat логотип

CVE-2022-24778

CVSS3: 7.4
redhat
почти 4 года назад

The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other arch...

github логотип

GHSA-8v99-48m9-c8pm

CVSS3: 7.5
github
почти 4 года назад

Incorrect Authorization in imgcrypt

EPSS

Процентиль: 56%
0.00333
Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-863
CWE-863