Incorrect authorization in containerd imgcrypt



Published: 2022-06-28
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-24778
CWE-ID CWE-863
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
imgcrypt
Universal components / Libraries / Libraries used by multiple products

Vendor containerd

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Incorrect authorization

EUVDB-ID: #VU64699

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-24778

CWE-ID: CWE-863 - Incorrect Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. A remote attacker can run an image without providing the previously decrypted keys and gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

imgcrypt: 1.0.0 - 1.1.3

External links

http://github.com/containerd/imgcrypt/releases/tag/v1.1.4
http://github.com/containerd/imgcrypt/security/advisories/GHSA-8v99-48m9-c8pm
http://github.com/containerd/imgcrypt/issues/69
http://github.com/containerd/imgcrypt/commit/6fdd9818a4d8142107b7ecd767d839c9707700d9


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###